Click to jump to signature section
Source: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI |
Source: Amcache.hve.4.dr | String found in binary or memory: http://upx.sf.net |
Source: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | String found in binary or memory: http://www.clamav.net |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_004462EC | 0_2_004462EC |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_0044B4B8 | 0_2_0044B4B8 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: String function: 0040439C appears 69 times | |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: String function: 00406434 appears 61 times | |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 232 |
Source: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Static PE information: No import functions for PE file found |
Source: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI |
Source: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Static PE information: Section .clam01 |
Source: classification engine | Classification label: mal60.winEXE@2/5@0/0 |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6532 |
Source: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Virustotal: Detection: 32% |
Source: unknown | Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe" |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 232 |
Source: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Static PE information: section name: .clam01 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00424084 push 004240B0h; ret | 0_2_004240A8 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00426168 push 004261ABh; ret | 0_2_004261A3 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_0041610C push ecx; mov dword ptr [esp], edx | 0_2_0041610E |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_004261CC push 00426218h; ret | 0_2_00426210 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00406198 push 004061C4h; ret | 0_2_004061BC |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_0042627C push 004262A8h; ret | 0_2_004262A0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00406210 push 0040623Ch; ret | 0_2_00406234 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00426224 push 0042626Fh; ret | 0_2_00426267 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00422298 push 004222C4h; ret | 0_2_004222BC |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_0042238C push 004223B8h; ret | 0_2_004223B0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_004263B4 push 0042642Ah; ret | 0_2_00426422 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_0042C49C push 0042C4C8h; ret | 0_2_0042C4C0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_0042C604 push 0042C630h; ret | 0_2_0042C628 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00410846 push 004108BEh; ret | 0_2_004108B6 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00410848 push 004108BEh; ret | 0_2_004108B6 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00440824 push 00440850h; ret | 0_2_00440848 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_004108C0 push 00410968h; ret | 0_2_00410960 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_0041A932 push 0041A9DFh; ret | 0_2_0041A9D7 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_0041A934 push 0041A9DFh; ret | 0_2_0041A9D7 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_0041A9E4 push 0041AA74h; ret | 0_2_0041AA6C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00410A6C push 00410A98h; ret | 0_2_00410A90 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00424A78 push 00424AA4h; ret | 0_2_00424A9C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00424A08 push 00424A57h; ret | 0_2_00424A4F |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00424AE8 push 00424B14h; ret | 0_2_00424B0C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00424AB0 push 00424ADCh; ret | 0_2_00424AD4 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00422B4C push 00422B78h; ret | 0_2_00422B70 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00424B58 push 00424B84h; ret | 0_2_00424B7C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00422B0C push 00422B38h; ret | 0_2_00422B30 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00424B20 push 00424B4Ch; ret | 0_2_00424B44 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00424BC8 push 00424BF4h; ret | 0_2_00424BEC |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe | Code function: 0_2_00412BE4 push ecx; mov dword ptr [esp], edx | 0_2_00412BE9 |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: Amcache.hve.4.dr | Binary or memory string: VMware |
Source: Amcache.hve.4.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.4.dr | Binary or memory string: vmci.syshbin |
Source: Amcache.hve.4.dr | Binary or memory string: VMware, Inc. |
Source: Amcache.hve.4.dr | Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.4.dr | Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.4.dr | Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.4.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.4.dr | Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.4.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: vmci.sys |
Source: Amcache.hve.4.dr | Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0 |
Source: Amcache.hve.4.dr | Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.4.dr | Binary or memory string: \driver\vmci,\driver\pci |
Source: Amcache.hve.4.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: VMware20,1 |
Source: Amcache.hve.4.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.4.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.4.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.4.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.4.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.4.dr | Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.4.dr | Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.4.dr | Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.4.dr | Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.4.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.4.dr | Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.4.dr | Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe |
Source: Amcache.hve.4.dr | Binary or memory string: msmpeng.exe |
Source: Amcache.hve.4.dr | Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.4.dr | Binary or memory string: MsMpEng.exe |