Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp |
Malware Configuration Extractor: FormBook {"C2 list": ["www.narrowpathwc.com/n8ba/"], "decoy": ["thefitflect.com", "anytourist.com", "blggz.xyz", "ascope.club", "obyeboss.com", "braun-mathematik.online", "mtsnurulislamsby.com", "jwpropertiestn.com", "animalds.com", "cunerier.com", "sillysocklife.com", "shopliyonamaaghin.net", "theredcymbalsco.com", "lostbikeproject.com", "ryggoqlmga.club", "realestatetriggers.com", "luvlauricephotography.com", "cheesehome.cloud", "5fashionfix.net", "wata-6-rwem.net", "ominvestment.net", "rrinuwsq643do2.xyz", "teamtacozzzz.com", "newjerseyreosales.com", "theresahovo.com", "wowmovies.today", "77k6tgikpbs39.net", "americagoldenwheels.com", "digitaladbasket.com", "gcagame.com", "arielatkins.net", "2020coaches.com", "effthisshit.com", "nycabl.com", "fbvanminh.com", "lovebirdsgifts.com", "anxietyxpill.com", "recaptcha-lnc.com", "aprendelspr.com", "expatinsur.com", "backtothesimplethings.com", "pcf-it.services", "wintonplaceoh.com", "designermotherhood.com", "naamt.com", "lifestylebykendra.com", "thehighstatusemporium.com", "oneninelacrosse.com", "mariasmoworldwide.com", "kitesurf-piraten.net", "atelierbond.com", "mynjelderlaw.com", "moucopia.com", "hauhome.club", "imroundtable.com", "thralink.com", "baoequities.com", "nassy.cloud", "goldenstatelabradoodles.com", "revenueremedyintensive.com", "dfendglobal.com", "pugliaandgastronomy.com", "cypios.net", "trinioware.com"]} |
Source: C:\Users\user\AppData\Roaming\mtBGJEC.exe |
Virustotal: Detection: 39% |
Perma Link |
Source: C:\Users\user\AppData\Roaming\mtBGJEC.exe |
ReversingLabs: Detection: 44% |
Source: Order Items.exe |
Virustotal: Detection: 39% |
Perma Link |
Source: Order Items.exe |
ReversingLabs: Detection: 44% |
Source: Yara match |
File source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\AppData\Roaming\mtBGJEC.exe |
Joe Sandbox ML: detected |
Source: Order Items.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: Malware configuration extractor |
URLs: www.narrowpathwc.com/n8ba/ |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.82.209.183 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 93.184.220.29 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 93.184.220.29 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 51.103.5.186 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 51.103.5.186 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 131.253.33.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 131.253.33.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 93.184.220.29 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 40.126.31.141 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 40.126.31.141 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 93.184.220.29 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 40.126.31.141 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 40.126.31.141 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 40.126.31.141 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 40.126.31.141 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 40.126.31.141 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 40.126.31.141 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 93.184.220.29 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 51.103.5.186 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 51.103.5.186 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 93.184.220.29 |
Source: Order Items.exe, 00000000.00000002.251271345.00000000028C1000.00000004.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49676 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49685 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49676 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49694 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49696 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49692 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49692 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49693 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49680 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49691 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49690 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49691 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49685 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49690 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49680 -> 443 |
Source: Yara match |
File source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY |
Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: initial sample |
Static PE information: Filename: Order Items.exe |
Source: C:\Users\user\Desktop\Order Items.exe |
Code function: 0_2_00007FFF30155076 |
0_2_00007FFF30155076 |
Source: Order Items.exe, 00000000.00000002.250797027.0000000000A9C000.00000004.00000020.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs Order Items.exe |
Source: Order Items.exe, 00000000.00000002.258881968.000000001B300000.00000002.00000001.sdmp |
Binary or memory string: System.OriginalFileName vs Order Items.exe |
Source: Order Items.exe, 00000000.00000002.250490915.0000000000516000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameNonEventAttribu.exe6 vs Order Items.exe |
Source: Order Items.exe, 00000000.00000002.251271345.00000000028C1000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameConfigNodeType.dll> vs Order Items.exe |
Source: Order Items.exe, 00000000.00000002.258978676.000000001B370000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameStoreElement.dllB vs Order Items.exe |
Source: Order Items.exe, 00000000.00000002.251053555.00000000027C0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamemscorrc.dllT vs Order Items.exe |
Source: Order Items.exe, 00000000.00000002.259102875.000000001B410000.00000002.00000001.sdmp |
Binary or memory string: originalfilename vs Order Items.exe |
Source: Order Items.exe, 00000000.00000002.259102875.000000001B410000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Order Items.exe |
Source: Order Items.exe |
Binary or memory string: OriginalFilenameNonEventAttribu.exe6 vs Order Items.exe |
Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: Order Items.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: mtBGJEC.exe.0.dr |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@14/4@0/0 |
Source: C:\Users\user\Desktop\Order Items.exe |
File created: C:\Users\user\AppData\Roaming\mtBGJEC.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Mutant created: \Sessions\1\BaseNamedObjects\wzGlwWLiyewwxNUGilgIfTbqP |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2268:120:WilError_01 |
Source: C:\Users\user\Desktop\Order Items.exe |
File created: C:\Users\user\AppData\Local\Temp\tmp1086.tmp |
Jump to behavior |
Source: Order Items.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Order Items.exe |
Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
File read: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Order Items.exe |
Virustotal: Detection: 39% |
Source: Order Items.exe |
ReversingLabs: Detection: 44% |
Source: C:\Users\user\Desktop\Order Items.exe |
File read: C:\Users\user\Desktop\Order Items.exe |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\Order Items.exe 'C:\Users\user\Desktop\Order Items.exe' |
|
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mtBGJEC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1086.tmp' |
|
Source: C:\Windows\System32\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
|
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
|
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
|
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
|
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
|
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mtBGJEC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1086.tmp' |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll |
Jump to behavior |
Source: Order Items.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: Order Items.exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\Order Items.exe |
Code function: 0_2_0046991C push 72060001h; retf |
0_2_00469922 |
Source: C:\Users\user\Desktop\Order Items.exe |
Code function: 0_2_00007FFF30157713 push ebx; retf |
0_2_00007FFF3015771A |
Source: C:\Users\user\Desktop\Order Items.exe |
Code function: 0_2_00007FFF30157F17 push ebx; ret |
0_2_00007FFF30157F1A |
Source: initial sample |
Static PE information: section name: .text entropy: 7.43608385702 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.43608385702 |
Source: C:\Users\user\Desktop\Order Items.exe |
File created: C:\Users\user\AppData\Roaming\mtBGJEC.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mtBGJEC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1086.tmp' |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Order Items.exe PID: 2772, type: MEMORYSTR |
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp |
Binary or memory string: WINE_GET_UNIX_FILE_NAME |
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp |
Binary or memory string: SBIEDLL.DLL |
Source: C:\Users\user\Desktop\Order Items.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe TID: 6076 |
Thread sleep time: -42276s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe TID: 5720 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\Order Items.exe |
Thread delayed: delay time: 42276 |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp |
Binary or memory string: vmware |
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp |
Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools |
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp |
Binary or memory string: VMWARE |
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp |
Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp |
Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum |
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp |
Binary or memory string: VMware SVGA II |
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp |
Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 |
Source: C:\Users\user\Desktop\Order Items.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mtBGJEC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1086.tmp' |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Queries volume information: C:\Users\user\Desktop\Order Items.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Order Items.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY |