Source: C:\Users\user\AppData\Local\Temp\services.exe | Avira: detection malicious, Label: BDS/Backdoor.fszhy |
Source: C:\Windows\java.exe | Avira: detection malicious, Label: WORM/Mydoom.O.1 |
Source: C:\Windows\services.exe | Avira: detection malicious, Label: BDS/Backdoor.fszhy |
Source: C:\Users\user\AppData\Local\Temp\services.exe | ReversingLabs: Detection: 100% |
Source: C:\Users\user\AppData\Local\Temp\services.exe | Virustotal: Detection: 84% | Perma Link |
Source: C:\Windows\java.exe | ReversingLabs: Detection: 97% |
Source: C:\Windows\java.exe | Virustotal: Detection: 91% | Perma Link |
Source: C:\Windows\services.exe | ReversingLabs: Detection: 100% |
Source: C:\Windows\services.exe | Virustotal: Detection: 84% | Perma Link |
Source: Yara match | File source: 8.2.java.exe.500000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.message.com.exe.500000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: message.com.exe PID: 6888, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: java.exe PID: 7548, type: MEMORYSTR |
Source: C:\Users\user\Desktop\message.com.exe | Code function: 0_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, | 0_2_005052AD |
Source: C:\Windows\java.exe | Code function: 8_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, | 8_2_005052AD |
Source: C:\Windows\java.exe | File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ | Jump to behavior |
Source: C:\Windows\java.exe | File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ | Jump to behavior |
Source: C:\Windows\java.exe | File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ | Jump to behavior |
Source: C:\Windows\java.exe | File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ | Jump to behavior |
Source: C:\Windows\java.exe | File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ | Jump to behavior |
Source: C:\Windows\java.exe | File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ | Jump to behavior |
Source: unknown | TCP traffic detected without corresponding DNS query: 15.124.29.93 |
Source: unknown | TCP traffic detected without corresponding DNS query: 15.124.29.93 |
Source: unknown | TCP traffic detected without corresponding DNS query: 15.124.29.93 |
Source: unknown | TCP traffic detected without corresponding DNS query: 15.124.29.93 |
Source: unknown | TCP traffic detected without corresponding DNS query: 15.124.29.93 |
Source: unknown | TCP traffic detected without corresponding DNS query: 4.240.78.155 |
Source: unknown | TCP traffic detected without corresponding DNS query: 4.240.78.155 |
Source: unknown | TCP traffic detected without corresponding DNS query: 4.240.78.155 |
Source: unknown | TCP traffic detected without corresponding DNS query: 4.240.78.155 |
Source: unknown | TCP traffic detected without corresponding DNS query: 4.240.78.155 |
Source: unknown | TCP traffic detected without corresponding DNS query: 24.196.145.49 |
Source: unknown | TCP traffic detected without corresponding DNS query: 24.196.145.49 |
Source: unknown | TCP traffic detected without corresponding DNS query: 24.196.145.49 |
Source: unknown | TCP traffic detected without corresponding DNS query: 24.196.145.49 |
Source: unknown | TCP traffic detected without corresponding DNS query: 24.196.145.49 |
Source: unknown | TCP traffic detected without corresponding DNS query: 159.134.165.119 |
Source: unknown | TCP traffic detected without corresponding DNS query: 159.134.165.119 |
Source: unknown | TCP traffic detected without corresponding DNS query: 159.134.165.119 |
Source: unknown | TCP traffic detected without corresponding DNS query: 159.134.165.119 |
Source: unknown | TCP traffic detected without corresponding DNS query: 159.134.165.119 |
Source: unknown | TCP traffic detected without corresponding DNS query: 16.91.195.90 |
Source: unknown | TCP traffic detected without corresponding DNS query: 16.91.195.90 |
Source: unknown | TCP traffic detected without corresponding DNS query: 16.91.195.90 |
Source: unknown | TCP traffic detected without corresponding DNS query: 16.91.195.90 |
Source: unknown | TCP traffic detected without corresponding DNS query: 16.91.195.90 |
Source: message.com.exe, message.com.exe, 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp | String found in binary or memory: http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s |
Source: message.com.exe, 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp | String found in binary or memory: http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s&nbq=%dhttp://www.altavista.c |
Source: message.com.exe, message.com.exe, 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp | String found in binary or memory: http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab= |
Source: Amcache.hve.6.dr | String found in binary or memory: http://upx.sf.net |
Source: message.com.exe, message.com.exe, 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp | String found in binary or memory: http://www.altavista.com/web/results?q=%s&kgs=0&kls=0 |
Source: message.com.exe, message.com.exe, 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp | String found in binary or memory: http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s |
Source: message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://denmark.smartscre_ |
Source: message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://denmark.smartscre_curlrcom |
Source: message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://europe.d |
Source: message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://europe.dbgcreepp |
Source: message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://southkoreregid.1991-06.com.microsoftza |
Source: message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://unitUSOPrivaten.micrp |
Source: message.com.exe, 00000000.00000002.1500711357.00000000005B4000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://unitedstates2.ss.wd.microsoft |
Source: message.com.exe, 00000000.00000002.1500711357.00000000005B4000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us |
Source: Yara match | File source: 8.2.java.exe.500000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.message.com.exe.500000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: message.com.exe PID: 6888, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: java.exe PID: 7548, type: MEMORYSTR |
Source: unknown | Process created: C:\Users\user\Desktop\message.com.exe "C:\Users\user\Desktop\message.com.exe" | |
Source: C:\Users\user\Desktop\message.com.exe | Process created: C:\Windows\services.exe "C:\Windows\services.exe" | |
Source: C:\Users\user\Desktop\message.com.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 1196 | |
Source: unknown | Process created: C:\Windows\java.exe "C:\Windows\java.exe" | |
Source: C:\Windows\java.exe | Process created: C:\Users\user\AppData\Local\Temp\services.exe "C:\Users\user\AppData\Local\Temp\services.exe" | |
Source: unknown | Process created: C:\Windows\services.exe "C:\Windows\services.exe" | |
Source: C:\Users\user\Desktop\message.com.exe | Process created: C:\Windows\services.exe "C:\Windows\services.exe" | Jump to behavior |
Source: C:\Windows\java.exe | Process created: C:\Users\user\AppData\Local\Temp\services.exe "C:\Users\user\AppData\Local\Temp\services.exe" | Jump to behavior |
Source: C:\Users\user\Desktop\message.com.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\message.com.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Users\user\Desktop\message.com.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Users\user\Desktop\message.com.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Users\user\Desktop\message.com.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\message.com.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\message.com.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\message.com.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\message.com.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\message.com.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\message.com.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\message.com.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\message.com.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\Desktop\message.com.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: napinsp.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: pnrpnsp.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: wshbth.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: nlaapi.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: winrnr.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: napinsp.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: pnrpnsp.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: wshbth.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: nlaapi.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: winrnr.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Windows\java.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe | Section loaded: napinsp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe | Section loaded: pnrpnsp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe | Section loaded: wshbth.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe | Section loaded: nlaapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe | Section loaded: winrnr.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: napinsp.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: pnrpnsp.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: wshbth.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: nlaapi.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: winrnr.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Windows\services.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\message.com.exe | Code function: 0_2_0050A42D push ds; ret | 0_2_0050A42E |
Source: C:\Users\user\Desktop\message.com.exe | Code function: 0_2_0050DEA6 push ds; ret | 0_2_0050DEBE |
Source: C:\Users\user\Desktop\message.com.exe | Code function: 0_2_0050A501 push ecx; retf | 0_2_0050A53F |
Source: C:\Users\user\Desktop\message.com.exe | Code function: 0_2_0050A50F push ecx; retf | 0_2_0050A53F |
Source: C:\Users\user\Desktop\message.com.exe | Code function: 0_2_00509BA2 push edx; retf | 0_2_00509BAB |
Source: C:\Windows\services.exe | Code function: 2_2_00405A55 push es; iretd | 2_2_00405A8E |
Source: C:\Windows\java.exe | Code function: 8_2_0050A42D push ds; ret | 8_2_0050A42E |
Source: C:\Windows\java.exe | Code function: 8_2_0050DEA6 push ds; ret | 8_2_0050DEBE |
Source: C:\Windows\java.exe | Code function: 8_2_0050A501 push ecx; retf | 8_2_0050A53F |
Source: C:\Windows\java.exe | Code function: 8_2_0050A50F push ecx; retf | 8_2_0050A53F |
Source: C:\Windows\java.exe | Code function: 8_2_00509BA2 push edx; retf | 8_2_00509BAB |
Source: initial sample | Static PE information: section name: UPX0 |
Source: initial sample | Static PE information: section name: UPX1 |
Source: initial sample | Static PE information: section name: UPX0 |
Source: initial sample | Static PE information: section name: UPX1 |
Source: initial sample | Static PE information: section name: UPX0 |
Source: initial sample | Static PE information: section name: UPX1 |
Source: initial sample | Static PE information: section name: UPX0 |
Source: initial sample | Static PE information: section name: UPX1 |
Source: C:\Users\user\Desktop\message.com.exe | Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaVM | Jump to behavior |
Source: C:\Users\user\Desktop\message.com.exe | Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaVM | Jump to behavior |
Source: C:\Windows\services.exe | Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Services | Jump to behavior |
Source: C:\Windows\services.exe | Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Services | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\services.exe | Window / User API: threadDelayed 1426 | Jump to behavior |
Source: C:\Windows\java.exe | Window / User API: threadDelayed 1380 | Jump to behavior |
Source: C:\Windows\java.exe | Window / User API: threadDelayed 7702 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe | Window / User API: threadDelayed 2230 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe | Window / User API: threadDelayed 7767 | Jump to behavior |
Source: C:\Windows\services.exe | Window / User API: threadDelayed 9361 | Jump to behavior |
Source: C:\Windows\services.exe | Window / User API: threadDelayed 638 | Jump to behavior |
Source: C:\Windows\java.exe | Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec) | graph_8-3537 |
Source: C:\Windows\services.exe | Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec) | graph_2-1036 |
Source: C:\Users\user\Desktop\message.com.exe | Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec) | graph_0-3533 |
Source: C:\Users\user\Desktop\message.com.exe TID: 6732 | Thread sleep time: -56000s >= -30000s | Jump to behavior |
Source: C:\Windows\services.exe TID: 6380 | Thread sleep count: 1426 > 30 | Jump to behavior |
Source: C:\Windows\java.exe TID: 7576 | Thread sleep count: 1380 > 30 | Jump to behavior |
Source: C:\Windows\java.exe TID: 7576 | Thread sleep time: -1104000s >= -30000s | Jump to behavior |
Source: C:\Windows\java.exe TID: 7552 | Thread sleep count: 44 > 30 | Jump to behavior |
Source: C:\Windows\java.exe TID: 7576 | Thread sleep count: 7702 > 30 | Jump to behavior |
Source: C:\Windows\java.exe TID: 7576 | Thread sleep time: -6161600s >= -30000s | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 7572 | Thread sleep count: 2230 > 30 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 7572 | Thread sleep time: -557500s >= -30000s | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 7572 | Thread sleep count: 7767 > 30 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 7572 | Thread sleep time: -1941750s >= -30000s | Jump to behavior |
Source: C:\Windows\services.exe TID: 7736 | Thread sleep count: 9361 > 30 | Jump to behavior |
Source: C:\Windows\services.exe TID: 7736 | Thread sleep time: -2340250s >= -30000s | Jump to behavior |
Source: C:\Windows\services.exe TID: 7736 | Thread sleep count: 638 > 30 | Jump to behavior |
Source: C:\Windows\services.exe TID: 7736 | Thread sleep time: -159500s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\message.com.exe | Last function: Thread delayed |
Source: C:\Windows\services.exe | Last function: Thread delayed |
Source: C:\Windows\services.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\message.com.exe | Code function: 0_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, | 0_2_005052AD |
Source: C:\Windows\java.exe | Code function: 8_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, | 8_2_005052AD |
Source: C:\Windows\java.exe | File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ | Jump to behavior |
Source: C:\Windows\java.exe | File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ | Jump to behavior |
Source: C:\Windows\java.exe | File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ | Jump to behavior |
Source: C:\Windows\java.exe | File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ | Jump to behavior |
Source: C:\Windows\java.exe | File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ | Jump to behavior |
Source: C:\Windows\java.exe | File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ | Jump to behavior |
Source: Amcache.hve.6.dr | Binary or memory string: VMware |
Source: Amcache.hve.6.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.6.dr | Binary or memory string: vmci.syshbin |
Source: Amcache.hve.6.dr | Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67 |
Source: Amcache.hve.6.dr | Binary or memory string: VMware, Inc. |
Source: Amcache.hve.6.dr | Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.6.dr | Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.6.dr | Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.6.dr | Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.6.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: java.exe, 00000008.00000002.2622640497.000000000056E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld} |
Source: Amcache.hve.6.dr | Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.6.dr | Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.6.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: services.exe, 00000002.00000002.2622723854.0000000000812000.00000004.00000020.00020000.00000000.sdmp, services.exe, 0000000B.00000002.2624896857.0000000000800000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: services.exe, 00000009.00000002.2622857477.0000000000812000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw |
Source: Amcache.hve.6.dr | Binary or memory string: vmci.sys |
Source: Amcache.hve.6.dr | Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.6.dr | Binary or memory string: \driver\vmci,\driver\pci |
Source: Amcache.hve.6.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: message.com.exe, 00000000.00000002.1500711357.000000000059E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2 |
Source: Amcache.hve.6.dr | Binary or memory string: VMware20,1 |
Source: Amcache.hve.6.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.6.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.6.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.6.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.6.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.6.dr | Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.6.dr | Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.6.dr | Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.6.dr | Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.6.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.6.dr | Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: C:\Users\user\Desktop\message.com.exe | Code function: 0_2_00505A45 LdrInitializeThunk,lstrcpy,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcat,lstrcat,lstrcpy,lstrcpy, | 0_2_00505A45 |
Source: Amcache.hve.6.dr | Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe |
Source: Amcache.hve.6.dr | Binary or memory string: msmpeng.exe |
Source: Amcache.hve.6.dr | Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.6.dr | Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe |
Source: Amcache.hve.6.dr | Binary or memory string: MsMpEng.exe |
Source: C:\Users\user\Desktop\message.com.exe | Code function: 0_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread, | 0_2_0050311C |
Source: C:\Windows\java.exe | Code function: 8_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,GetModuleHandleA,GetProcAddress, | 8_2_0050311C |
Source: C:\Windows\services.exe | Code function: 2_2_00401F0E GetProcessHeap,RtlAllocateHeap,htons,htons,socket,closesocket,Sleep,htons,socket,bind,listen,CreateThread,select,Sleep,GetProcessHeap,RtlAllocateHeap,accept,closesocket,accept,GetProcessHeap,HeapFree,CreateThread,CloseHandle, | 2_2_00401F0E |