Source: C:\Windows\java.exe |
Avira: detection malicious, Label: TR/Spy.Banker.Gen |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Avira: detection malicious, Label: BDS/Backdoor.fszhy |
Source: C:\Users\user\AppData\Local\Temp\tmpF245.tmp |
Avira: detection malicious, Label: TR/Spy.Banker.Gen |
Source: C:\Windows\services.exe |
Avira: detection malicious, Label: BDS/Backdoor.fszhy |
Source: Yara match |
File source: 0.2. .com.exe.500000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 7.2.java.exe.500000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000007.00000002.4568272926.0000000000501000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2204036339.0000000000501000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: .com.exe PID: 3416, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: java.exe PID: 3384, type: MEMORYSTR |
Source: C:\Users\user\Desktop\ .com.exe |
Code function: 0_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, |
0_2_005052AD |
Source: C:\Windows\java.exe |
Code function: 7_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, |
7_2_005052AD |
Source: C:\Windows\java.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ |
Jump to behavior |
Source: C:\Windows\java.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ |
Jump to behavior |
Source: C:\Windows\java.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ |
Jump to behavior |
Source: C:\Windows\java.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ |
Jump to behavior |
Source: C:\Windows\java.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ |
Jump to behavior |
Source: C:\Windows\java.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ |
Jump to behavior |
Source: .com.exe, .com.exe, 00000000.00000002.2204036339.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000007.00000002.4568272926.0000000000501000.00000040.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s |
Source: .com.exe, 00000000.00000002.2204036339.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, 00000007.00000002.4568272926.0000000000501000.00000040.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s&nbq=%dhttp://www.altavista.c |
Source: .com.exe, .com.exe, 00000000.00000002.2204036339.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000007.00000002.4568272926.0000000000501000.00000040.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab= |
Source: Amcache.hve.6.dr |
String found in binary or memory: http://upx.sf.net |
Source: .com.exe, .com.exe, 00000000.00000002.2204036339.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000007.00000002.4568272926.0000000000501000.00000040.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://www.altavista.com/web/results?q=%s&kgs=0&kls=0 |
Source: .com.exe, .com.exe, 00000000.00000002.2204036339.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000007.00000002.4568272926.0000000000501000.00000040.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s |
Source: .com.exe, 00000000.00000002.2204403538.0000000000668000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://denmark.smartscre_ |
Source: .com.exe, 00000000.00000002.2204403538.0000000000668000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://denmark.smartscre_curlrcom |
Source: .com.exe, 00000000.00000002.2204403538.0000000000668000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://europe.d |
Source: .com.exe, 00000000.00000002.2204403538.0000000000668000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://europe.dbgcreepp |
Source: .com.exe, 00000000.00000002.2204403538.0000000000668000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://southafrica.smartscreen.microsoft |
Source: .com.exe, 00000000.00000002.2204403538.0000000000668000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://southkoreregid.1991-06.com.microsoftza |
Source: .com.exe, 00000000.00000002.2204403538.0000000000668000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us |
Source: .com.exe, 00000000.00000002.2204403538.000000000061E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us |
Source: .com.exe, 00000000.00000002.2204403538.0000000000668000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us |
Source: Yara match |
File source: 0.2. .com.exe.500000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 7.2.java.exe.500000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000007.00000002.4568272926.0000000000501000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2204036339.0000000000501000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: .com.exe PID: 3416, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: java.exe PID: 3384, type: MEMORYSTR |
Source: .com.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Source: java.exe.0.dr |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Source: tmpF245.tmp.7.dr |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Source: C:\Users\user\Desktop\ .com.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ .com.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ .com.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ .com.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ .com.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ .com.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ .com.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ .com.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ .com.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ .com.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ .com.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ .com.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ .com.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ .com.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: napinsp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: pnrpnsp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: wshbth.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: winrnr.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: napinsp.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: pnrpnsp.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: wshbth.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: winrnr.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: napinsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: pnrpnsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: wshbth.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: winrnr.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: napinsp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: pnrpnsp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: wshbth.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: winrnr.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: .com.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Source: java.exe.0.dr |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Source: tmpF245.tmp.7.dr |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Source: unknown |
Process created: C:\Users\user\Desktop\ .com.exe C:\Users\user\Desktop\ .com.exe |
|
Source: C:\Users\user\Desktop\ .com.exe |
Process created: C:\Windows\services.exe C:\Windows\services.exe |
|
Source: C:\Users\user\Desktop\ .com.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1188 |
|
Source: unknown |
Process created: C:\Windows\java.exe "C:\Windows\java.exe" |
|
Source: C:\Windows\java.exe |
Process created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user\AppData\Local\Temp\services.exe |
|
Source: unknown |
Process created: C:\Windows\services.exe "C:\Windows\services.exe" |
|
Source: C:\Users\user\Desktop\ .com.exe |
Process created: C:\Windows\services.exe C:\Windows\services.exe |
Jump to behavior |
Source: C:\Windows\java.exe |
Process created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user\AppData\Local\Temp\services.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\ .com.exe |
Code function: 0_2_0050A42D push ds; ret |
0_2_0050A42E |
Source: C:\Users\user\Desktop\ .com.exe |
Code function: 0_2_0050DEA6 push ds; ret |
0_2_0050DEBE |
Source: C:\Users\user\Desktop\ .com.exe |
Code function: 0_2_0050A501 push ecx; retf |
0_2_0050A53F |
Source: C:\Users\user\Desktop\ .com.exe |
Code function: 0_2_0050A50F push ecx; retf |
0_2_0050A53F |
Source: C:\Users\user\Desktop\ .com.exe |
Code function: 0_2_00509BA2 push edx; retf |
0_2_00509BAB |
Source: C:\Windows\services.exe |
Code function: 1_2_00405A55 push es; iretd |
1_2_00405A8E |
Source: C:\Windows\java.exe |
Code function: 7_2_0050A42D push ds; ret |
7_2_0050A42E |
Source: C:\Windows\java.exe |
Code function: 7_2_0050DEA6 push ds; ret |
7_2_0050DEBE |
Source: C:\Windows\java.exe |
Code function: 7_2_0050A501 push ecx; retf |
7_2_0050A53F |
Source: C:\Windows\java.exe |
Code function: 7_2_0050A50F push ecx; retf |
7_2_0050A53F |
Source: C:\Windows\java.exe |
Code function: 7_2_00509BA2 push edx; retf |
7_2_00509BAB |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: C:\Users\user\Desktop\ .com.exe |
Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaVM |
Jump to behavior |
Source: C:\Users\user\Desktop\ .com.exe |
Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaVM |
Jump to behavior |
Source: C:\Windows\services.exe |
Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Services |
Jump to behavior |
Source: C:\Windows\services.exe |
Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Services |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ .com.exe TID: 5536 |
Thread sleep time: -48000s >= -30000s |
Jump to behavior |
Source: C:\Windows\services.exe TID: 6480 |
Thread sleep count: 2844 > 30 |
Jump to behavior |
Source: C:\Windows\java.exe TID: 3328 |
Thread sleep count: 1778 > 30 |
Jump to behavior |
Source: C:\Windows\java.exe TID: 3328 |
Thread sleep time: -1422400s >= -30000s |
Jump to behavior |
Source: C:\Windows\java.exe TID: 2612 |
Thread sleep count: 43 > 30 |
Jump to behavior |
Source: C:\Windows\java.exe TID: 2612 |
Thread sleep count: 258 > 30 |
Jump to behavior |
Source: C:\Windows\java.exe TID: 3328 |
Thread sleep count: 7290 > 30 |
Jump to behavior |
Source: C:\Windows\java.exe TID: 3328 |
Thread sleep time: -5832000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 3524 |
Thread sleep count: 7518 > 30 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 3524 |
Thread sleep time: -1879500s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 3524 |
Thread sleep count: 2480 > 30 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 3524 |
Thread sleep time: -620000s >= -30000s |
Jump to behavior |
Source: C:\Windows\services.exe TID: 6768 |
Thread sleep count: 9950 > 30 |
Jump to behavior |
Source: C:\Windows\services.exe TID: 6768 |
Thread sleep time: -2487500s >= -30000s |
Jump to behavior |
Source: C:\Windows\services.exe TID: 6768 |
Thread sleep count: 48 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\ .com.exe |
Code function: 0_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, |
0_2_005052AD |
Source: C:\Windows\java.exe |
Code function: 7_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, |
7_2_005052AD |
Source: C:\Windows\java.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ |
Jump to behavior |
Source: C:\Windows\java.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ |
Jump to behavior |
Source: C:\Windows\java.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ |
Jump to behavior |
Source: C:\Windows\java.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ |
Jump to behavior |
Source: C:\Windows\java.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ |
Jump to behavior |
Source: C:\Windows\java.exe |
File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ |
Jump to behavior |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.6.dr |
Binary or memory string: vmci.syshbin |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware, Inc. |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.6.dr |
Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.6.dr |
Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.6.dr |
Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20 |
Source: Amcache.hve.6.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.6.dr |
Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.6.dr |
Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.6.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: services.exe, 00000001.00000002.4568799988.0000000000812000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.4570438309.000000000088E000.00000004.00000020.00020000.00000000.sdmp, services.exe, 00000009.00000002.4568741820.0000000000800000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: Amcache.hve.6.dr |
Binary or memory string: vmci.sys |
Source: Amcache.hve.6.dr |
Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.6.dr |
Binary or memory string: \driver\vmci,\driver\pci |
Source: services.exe, 00000008.00000002.4568761248.0000000000812000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln |
Source: Amcache.hve.6.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware20,1 |
Source: Amcache.hve.6.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.6.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.6.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.6.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.6.dr |
Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.6.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: .com.exe, 00000000.00000002.2204403538.000000000061E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD |
Source: Amcache.hve.6.dr |
Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: C:\Users\user\Desktop\ .com.exe |
Code function: 0_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread, |
0_2_0050311C |
Source: C:\Windows\java.exe |
Code function: 7_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,GetModuleHandleA,GetProcAddress, |
7_2_0050311C |
Source: C:\Windows\services.exe |
Code function: 1_2_00401F0E GetProcessHeap,RtlAllocateHeap,htons,htons,socket,closesocket,Sleep,htons,socket,bind,listen,CreateThread,select,Sleep,GetProcessHeap,RtlAllocateHeap,accept,closesocket,accept,GetProcessHeap,HeapFree,CreateThread,CloseHandle, |
1_2_00401F0E |