Source: 8XMlaeHQXZ.exe | Virustotal: Detection: 21% | Perma Link |
Source: 8XMlaeHQXZ.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: | Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.372441520.0000000000B04000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.372358336.0000000000B1B000.00000004.00000001.sdmp |
Source: | Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.372382776.0000000000B0A000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.372317581.0000000000B1B000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp |
Source: | Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdbk source: WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp |
Source: Amcache.hve.3.dr | String found in binary or memory: http://upx.sf.net |
Source: 8XMlaeHQXZ.exe | Static PE information: section name: |
Source: 8XMlaeHQXZ.exe | Static PE information: section name: |
Source: 8XMlaeHQXZ.exe | Static PE information: section name: |
Source: 8XMlaeHQXZ.exe | Static PE information: section name: |
Source: 8XMlaeHQXZ.exe | Static PE information: section name: |
Source: 8XMlaeHQXZ.exe | Static PE information: section name: |
Source: 8XMlaeHQXZ.exe | Static PE information: section name: |
Source: 8XMlaeHQXZ.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: 8XMlaeHQXZ.exe | Static PE information: No import functions for PE file found |
Source: 8XMlaeHQXZ.exe, 00000000.00000000.368976942.0000000000426000.00000080.00020000.sdmp | Binary or memory string: OriginalFilenamePantsuits.exe4 vs 8XMlaeHQXZ.exe |
Source: 8XMlaeHQXZ.exe, 00000000.00000000.368976942.0000000000426000.00000080.00020000.sdmp | Binary or memory string: OriginalFilenameGeForce Experience PermissionT vs 8XMlaeHQXZ.exe |
Source: 8XMlaeHQXZ.exe | Binary or memory string: OriginalFilenamePantsuits.exe4 vs 8XMlaeHQXZ.exe |
Source: 8XMlaeHQXZ.exe | Binary or memory string: OriginalFilenameGeForce Experience PermissionT vs 8XMlaeHQXZ.exe |
Source: C:\Users\user\Desktop\8XMlaeHQXZ.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 212 |
Source: 8XMlaeHQXZ.exe | Static PE information: Data appended to the last section found |
Source: 8XMlaeHQXZ.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0 |
Source: 8XMlaeHQXZ.exe | Static PE information: Section: ZLIB complexity 1.00057768486 |
Source: 8XMlaeHQXZ.exe | Static PE information: Section: ZLIB complexity 1.0107421875 |
Source: 8XMlaeHQXZ.exe | Static PE information: Section: ZLIB complexity 1.00716145833 |
Source: 8XMlaeHQXZ.exe | Static PE information: Section: ZLIB complexity 1.021484375 |
Source: 8XMlaeHQXZ.exe | Static PE information: Section: ZLIB complexity 1.00037704324 |
Source: 8XMlaeHQXZ.exe | Virustotal: Detection: 21% |
Source: C:\Users\user\Desktop\8XMlaeHQXZ.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: unknown | Process created: C:\Users\user\Desktop\8XMlaeHQXZ.exe "C:\Users\user\Desktop\8XMlaeHQXZ.exe" |
Source: C:\Users\user\Desktop\8XMlaeHQXZ.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 212 |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5856 |
Source: C:\Windows\SysWOW64\WerFault.exe | File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA26E.tmp | Jump to behavior |
Source: classification engine | Classification label: mal56.winEXE@2/6@0/0 |
Source: C:\Windows\SysWOW64\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: 8XMlaeHQXZ.exe | Static PE information: Raw size of is bigger than: 0x100000 < 0x104c00 |
Source: | Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.372441520.0000000000B04000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.372358336.0000000000B1B000.00000004.00000001.sdmp |
Source: | Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.372382776.0000000000B0A000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.372317581.0000000000B1B000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp |
Source: | Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdbk source: WerFault.exe, 00000003.00000003.373762927.0000000004BF1000.00000004.00000001.sdmp |
Source: 8XMlaeHQXZ.exe | Static PE information: real checksum: 0x122111 should be: 0x3a656 |
Source: 8XMlaeHQXZ.exe | Static PE information: section name: |
Source: 8XMlaeHQXZ.exe | Static PE information: section name: |
Source: 8XMlaeHQXZ.exe | Static PE information: section name: |
Source: 8XMlaeHQXZ.exe | Static PE information: section name: |
Source: 8XMlaeHQXZ.exe | Static PE information: section name: |
Source: 8XMlaeHQXZ.exe | Static PE information: section name: |
Source: 8XMlaeHQXZ.exe | Static PE information: section name: |
Source: 8XMlaeHQXZ.exe | Static PE information: section name: .m8o02uE |
Source: 8XMlaeHQXZ.exe | Static PE information: section name: .adata |
Source: 8XMlaeHQXZ.exe | Static PE information: 0xFBDADAB2 [Sun Nov 25 08:54:10 2103 UTC] |
Source: initial sample | Static PE information: section name: entropy: 7.99485148323 |
Source: initial sample | Static PE information: section name: entropy: 7.80837604511 |
Source: initial sample | Static PE information: section name: entropy: 7.87119921588 |
Source: initial sample | Static PE information: section name: entropy: 7.59715435366 |
Source: initial sample | Static PE information: section name: entropy: 7.99861729183 |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: Amcache.hve.3.dr | Binary or memory string: VMware |
Source: Amcache.hve.3.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Amcache.hve.3.dr | Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af |
Source: Amcache.hve.3.dr | Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.3.dr | Binary or memory string: VMware, Inc. |
Source: WerFault.exe, 00000003.00000003.383855971.0000000000B12000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo |
Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin |
Source: Amcache.hve.3.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.3.dr | Binary or memory string: VMware7,1 |
Source: Amcache.hve.3.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.3.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.3.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.3.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1x |
Source: Amcache.hve.3.dr | Binary or memory string: VMware, Inc.me |
Source: Amcache.hve.3.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.3.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: C:\Users\user\Desktop\8XMlaeHQXZ.exe | Process queried: DebugPort |
Source: Amcache.hve.3.dr | Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.