Source: 2760000.netprovfw.exe |
Avira: detected |
Source: 2760000.netprovfw.exe |
Virustotal: Detection: 50% |
Perma Link |
Source: 2760000.netprovfw.exe |
ReversingLabs: Detection: 79% |
Source: 2760000.netprovfw.exe |
Joe Sandbox ML: detected |
Source: 2760000.netprovfw.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: 2760000.netprovfw.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02763A10 _snwprintf,FindNextFileW,_snwprintf,FindFirstFileW, |
0_2_02763A10 |
Source: 2760000.netprovfw.exe, 00000000.00000002.215076314.000000000076A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Yara match |
File source: 2760000.netprovfw.exe, type: SAMPLE |
Source: Yara match |
File source: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.206372217.0000000002761000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0.0.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02761C70 |
0_2_02761C70 |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02767590 |
0_2_02767590 |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02768180 |
0_2_02768180 |
Source: unknown |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 640 |
Source: 2760000.netprovfw.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: 2760000.netprovfw.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: 2760000.netprovfw.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: 2760000.netprovfw.exe |
Static PE information: No import functions for PE file found |
Source: 2760000.netprovfw.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: classification engine |
Classification label: mal68.troj.winEXE@2/4@0/0 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3636 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5C6.tmp |
Jump to behavior |
Source: 2760000.netprovfw.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: 2760000.netprovfw.exe |
Virustotal: Detection: 50% |
Source: 2760000.netprovfw.exe |
ReversingLabs: Detection: 79% |
Source: unknown |
Process created: C:\Users\user\Desktop\2760000.netprovfw.exe 'C:\Users\user\Desktop\2760000.netprovfw.exe' |
Source: unknown |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 640 |
Source: 2760000.netprovfw.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT |
Source: 2760000.netprovfw.exe |
Static PE information: real checksum: 0x59bfd should be: 0x6199f |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02765D70 push ecx; mov dword ptr [esp], 00008067h |
0_2_02765D71 |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02765F70 push ecx; mov dword ptr [esp], 000084ADh |
0_2_02765F71 |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02765E70 push ecx; mov dword ptr [esp], 00008D73h |
0_2_02765E71 |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02765E40 push ecx; mov dword ptr [esp], 0000AEA2h |
0_2_02765E41 |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02765D30 push ecx; mov dword ptr [esp], 00002C7Ch |
0_2_02765D31 |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02765F20 push ecx; mov dword ptr [esp], 0000E2ADh |
0_2_02765F21 |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02765D00 push ecx; mov dword ptr [esp], 000021B4h |
0_2_02765D01 |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02765DE0 push ecx; mov dword ptr [esp], 000025AAh |
0_2_02765DE1 |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02765FB0 push ecx; mov dword ptr [esp], 0000460Eh |
0_2_02765FB1 |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02765EA0 push ecx; mov dword ptr [esp], 00007473h |
0_2_02765EA1 |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02765DA0 push ecx; mov dword ptr [esp], 000036B8h |
0_2_02765DA1 |
Source: initial sample |
Static PE information: section name: .text entropy: 6.84651766717 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02763A10 _snwprintf,FindNextFileW,_snwprintf,FindFirstFileW, |
0_2_02763A10 |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02763F70 mov eax, dword ptr fs:[00000030h] |
0_2_02763F70 |
Source: C:\Users\user\Desktop\2760000.netprovfw.exe |
Code function: 0_2_02764E10 mov eax, dword ptr fs:[00000030h] |
0_2_02764E10 |
Source: Yara match |
File source: 2760000.netprovfw.exe, type: SAMPLE |
Source: Yara match |
File source: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.206372217.0000000002761000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0.0.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE |