Source: 1.2.javaw.exe.22e0000.2.exe | Avira: detected |
Source: 1.2.javaw.exe.22e0000.2.exe | Joe Sandbox ML: detected |
Source: 1.2.javaw.exe.22e0000.2.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: | Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.299137006.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.296664816.0000000002ADF000.00000004.00000001.sdmp |
Source: | Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.299137006.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.296789212.0000000002ACA000.00000004.00000001.sdmp |
Source: | Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000008.00000002.309035111.0000000000522000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: WerFault.exe, 00000008.00000003.299137006.0000000004BE1000.00000004.00000001.sdmp |
Source: | Binary string: upwntdll.pdb source: WerFault.exe, 00000008.00000003.299094342.0000000002AD8000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.296865453.0000000002AD7000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.297018256.0000000002AD7000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.297417397.0000000002AD8000.00000004.00000001.sdmp |
Source: | Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.299137006.0000000004BE1000.00000004.00000001.sdmp |
Source: | Binary string: upwntdll.pdbk$ source: WerFault.exe, 00000008.00000003.305141001.0000000002AD8000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.306277726.0000000002AD8000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.304726906.0000000002AD8000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdbk source: WerFault.exe, 00000008.00000003.299137006.0000000004BE1000.00000004.00000001.sdmp |
Source: WerFault.exe, 00000008.00000002.309889564.0000000002ABB000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307712711.0000000002ABB000.00000004.00000001.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: Amcache.hve.8.dr | String found in binary or memory: http://upx.sf.net |
Source: 1.2.javaw.exe.22e0000.2.exe, 00000001.00000000.292131293.000000000279A000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> | |
Source: 1.2.javaw.exe.22e0000.2.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: 1.2.javaw.exe.22e0000.2.exe | Static PE information: No import functions for PE file found |
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6984 -s 212 |
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe | Code function: 1_2_022E19B0 | 1_2_022E19B0 |
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe | Code function: 1_2_022E8D70 | 1_2_022E8D70 |
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe | Code function: 1_2_022E37F0 | 1_2_022E37F0 |
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe | Code function: 1_2_022E50C0 | 1_2_022E50C0 |
Source: 1.2.javaw.exe.22e0000.2.exe | Static PE information: Section: .data ZLIB complexity 1.021484375 |
Source: C:\Windows\SysWOW64\WerFault.exe | File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER78B9.tmp | Jump to behavior |
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: classification engine | Classification label: mal56.winEXE@2/6@0/0 |
Source: unknown | Process created: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe "C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe" |
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6984 -s 212 |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6984 |
Source: C:\Windows\SysWOW64\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: | Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.299137006.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.296664816.0000000002ADF000.00000004.00000001.sdmp |
Source: | Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.299137006.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.296789212.0000000002ACA000.00000004.00000001.sdmp |
Source: | Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000008.00000002.309035111.0000000000522000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: WerFault.exe, 00000008.00000003.299137006.0000000004BE1000.00000004.00000001.sdmp |
Source: | Binary string: upwntdll.pdb source: WerFault.exe, 00000008.00000003.299094342.0000000002AD8000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.296865453.0000000002AD7000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.297018256.0000000002AD7000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.297417397.0000000002AD8000.00000004.00000001.sdmp |
Source: | Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.299137006.0000000004BE1000.00000004.00000001.sdmp |
Source: | Binary string: upwntdll.pdbk$ source: WerFault.exe, 00000008.00000003.305141001.0000000002AD8000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.306277726.0000000002AD8000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.304726906.0000000002AD8000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdbk source: WerFault.exe, 00000008.00000003.299137006.0000000004BE1000.00000004.00000001.sdmp |
Source: 1.2.javaw.exe.22e0000.2.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: 1.2.javaw.exe.22e0000.2.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: 1.2.javaw.exe.22e0000.2.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: 1.2.javaw.exe.22e0000.2.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: 1.2.javaw.exe.22e0000.2.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: 1.2.javaw.exe.22e0000.2.exe | Static PE information: section name: .teslaX |
Source: C:\Windows\SysWOW64\WerFault.exe | Registry value created or modified: \REGISTRY\A\{5f6f2660-b4f2-a4df-7d05-86d67e169743}\Root\InventoryApplicationFile\1.2.javaw.exe.22|d0d8f4f4 LowerCaseLongPath c:\users\user\desktop\1.2.javaw.exe.22e0000.2.exe | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Registry value created or modified: \REGISTRY\A\{5f6f2660-b4f2-a4df-7d05-86d67e169743}\Root\InventoryApplicationFile\1.2.javaw.exe.22|d0d8f4f4 LongPathHash 1.2.javaw.exe.22|d0d8f4f4 | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Registry value created or modified: \REGISTRY\A\{5f6f2660-b4f2-a4df-7d05-86d67e169743}\Root\InventoryApplicationFile\1.2.javaw.exe.22|d0d8f4f4 Name 1.2.javaw.exe.22e0000.2.exe | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: Amcache.hve.8.dr | Binary or memory string: VMware |
Source: Amcache.hve.8.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Amcache.hve.8.dr | Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.8.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.8.dr | Binary or memory string: VMware, Inc. |
Source: Amcache.hve.8.dr | Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin |
Source: Amcache.hve.8.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.8.dr | Binary or memory string: VMware7,1 |
Source: Amcache.hve.8.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.8.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.8.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: WerFault.exe, 00000008.00000002.309873948.0000000002AA3000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.307778902.0000000002AA1000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW |
Source: Amcache.hve.8.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.8.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.8.dr | Binary or memory string: VMware, Inc.me |
Source: Amcache.hve.8.dr | Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7 |
Source: Amcache.hve.8.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.8.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe | Code function: 1_2_022E3E40 mov eax, dword ptr fs:[00000030h] | 1_2_022E3E40 |
Source: C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe | Process queried: DebugPort | Jump to behavior |
Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.dr | Binary or memory string: c:\users\user\desktop\procexp.exe |
Source: Amcache.hve.8.dr | Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.LOG1.8.dr, Amcache.hve.8.dr | Binary or memory string: procexp.exe |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.