Source: unknown |
HTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.7:49736 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.7:49737 version: TLS 1.2 |
Source: duLT5gkRjy.exe |
Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
DNS query: name: iplogger.org |
Source: Joe Sandbox View |
IP Address: 149.28.253.196 149.28.253.196 |
Source: Joe Sandbox View |
IP Address: 5.9.162.45 5.9.162.45 |
Source: Joe Sandbox View |
IP Address: 5.9.162.45 5.9.162.45 |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.listincode.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /1GWfv7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache |
Source: unknown |
Network traffic detected: HTTP traffic on port 49736 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49737 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49736 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49737 -> 443 |
Source: duLT5gkRjy.exe |
String found in binary or memory: http://ngdatas.pw/ |
Source: duLT5gkRjy.exe |
String found in binary or memory: http://ngdatas.pw/https://www.listincode.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP |
Source: Amcache.hve.3.dr |
String found in binary or memory: http://upx.sf.net |
Source: duLT5gkRjy.exe |
String found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExe |
Source: duLT5gkRjy.exe |
String found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband |
Source: duLT5gkRjy.exe |
String found in binary or memory: http://www.ecgbg.com |
Source: duLT5gkRjy.exe |
String found in binary or memory: http://www.ecgbg.com/Home/Index/getdata |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/143up7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/14Jup7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/14Qju7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/14ePy7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/169Bx7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/16ajh7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/16xjh7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1746b7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1756b7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/19iM77 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1BBCf7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1CDGu7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1CUGu7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1Cr3a7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1DE477 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1G7Sc7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1GWfv7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1GaLz7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1Gbzj7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1Gczj7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1Ghzj7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1GiLz7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1Gjzj7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1H3Fa7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1KyTy7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1O2BH |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1OXFG |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1OZVH |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1OhAG |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1Pdet7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1RWXp7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1SWks7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1Smzs7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1Sxzs7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1T79i7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1T89i7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1TBch7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1TCch7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1TW3i7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1TXch7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1Tkij7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1UKG97 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1UpU57 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1Uts87 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1X8M97 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1XJq97 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1XKq97 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1XSq97 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1Z7qd7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1aaVp7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1b4887 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1bV787 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1fHtp7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1lcZz |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1mxKf7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1pdxr7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1q6Jt7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1rDMq7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1rDMq785https://iplogger.org/1rd8N686https://iplogger.org/1spuy788https://iplog |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1rd8N6 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1rqRg7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1s4qp7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1s5qp7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1spuy7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1uS4i7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1uW6i7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1wnqn7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1x5bg7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://iplogger.org/1yXwr7 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://prntscr.com/upload.php |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://prntscr.com/upload.phphttps://prntscr.com/upload.php |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://sm.ms/api/v2/upload?inajax=1 |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://www.amazon.com/ |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://www.aol.com |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://www.google.com |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://www.google.com/search?q=admob&oq=admob |
Source: duLT5gkRjy.exe |
String found in binary or memory: https://www.listincode.com/ |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.listincode.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /1GWfv7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache |
Source: unknown |
HTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.7:49736 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.7:49737 version: TLS 1.2 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1932 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_0144095E |
1_2_0144095E |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_013665C0 |
1_2_013665C0 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_0135A460 |
1_2_0135A460 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_014428C0 |
1_2_014428C0 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_013650B0 |
1_2_013650B0 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_0135CB60 |
1_2_0135CB60 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_01361B40 |
1_2_01361B40 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_013623A0 |
1_2_013623A0 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_01352380 |
1_2_01352380 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_0135B3F0 |
1_2_0135B3F0 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_01357A30 |
1_2_01357A30 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_01358E60 |
1_2_01358E60 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: String function: 01357720 appears 47 times |
|
Source: duLT5gkRjy.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: duLT5gkRjy.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: duLT5gkRjy.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: duLT5gkRjy.exe |
Virustotal: Detection: 62% |
Source: duLT5gkRjy.exe |
ReversingLabs: Detection: 59% |
Source: unknown |
Process created: C:\Users\user\Desktop\duLT5gkRjy.exe "C:\Users\user\Desktop\duLT5gkRjy.exe" |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1932 |
Source: classification engine |
Classification label: mal80.troj.winEXE@2/6@2/2 |
Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp |
Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q); |
Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp |
Binary or memory string: SELECT host,name,value,expiry FROM moz_cookies where host='.facebook.com'; |
Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp |
Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s; |
Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp |
Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s; |
Source: duLT5gkRjy.exe, 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp |
Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5068 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Mutant created: \Sessions\1\BaseNamedObjects\patatoes |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: duLT5gkRjy.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: duLT5gkRjy.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: duLT5gkRjy.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: duLT5gkRjy.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: duLT5gkRjy.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: duLT5gkRjy.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: duLT5gkRjy.exe |
Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: duLT5gkRjy.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: duLT5gkRjy.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: duLT5gkRjy.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: duLT5gkRjy.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: duLT5gkRjy.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: duLT5gkRjy.exe |
Static PE information: section name: .ogtrfyj |
Source: duLT5gkRjy.exe |
Static PE information: section name: .ogtrfyj |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware |
Source: Amcache.hve.3.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Amcache.hve.3.dr |
Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware, Inc. |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin |
Source: Amcache.hve.3.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware7,1 |
Source: Amcache.hve.3.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.3.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.3.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.3.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware, Inc.me |
Source: Amcache.hve.3.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89 |
Source: Amcache.hve.3.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_014524F8 mov eax, dword ptr fs:[00000030h] |
1_2_014524F8 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_014483D7 mov eax, dword ptr fs:[00000030h] |
1_2_014483D7 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_0143B8A6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
1_2_0143B8A6 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_01434F72 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
1_2_01434F72 |
Source: duLT5gkRjy.exe, 00000001.00000000.251065160.0000000001AF0000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.252030450.0000000001AF0000.00000002.00020000.sdmp |
Binary or memory string: uProgram Manager |
Source: duLT5gkRjy.exe, 00000001.00000000.251065160.0000000001AF0000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.252030450.0000000001AF0000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: duLT5gkRjy.exe, 00000001.00000000.251065160.0000000001AF0000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.252030450.0000000001AF0000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: duLT5gkRjy.exe, 00000001.00000000.251065160.0000000001AF0000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000001.00000000.252030450.0000000001AF0000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_01436304 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
1_2_01436304 |
Source: C:\Users\user\Desktop\duLT5gkRjy.exe |
Code function: 1_2_014529E0 _free,_free,_free,GetTimeZoneInformation,_free, |
1_2_014529E0 |
Source: Yara match |
File source: duLT5gkRjy.exe, type: SAMPLE |
Source: Yara match |
File source: 1.2.duLT5gkRjy.exe.1350000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.0.duLT5gkRjy.exe.1350000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.0.duLT5gkRjy.exe.1350000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.0.duLT5gkRjy.exe.1350000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.266028618.000000000146A000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000000.250943662.000000000146A000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000000.244816151.000000000146A000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000000.251852996.000000000146A000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: duLT5gkRjy.exe PID: 5068, type: MEMORYSTR |