Source: 3.2.BiUwyvgVx6.exe.400000.0.unpack |
Malware Configuration Extractor: NetWire {"C2 list": ["43.226.229.43:2030"], "Password": "Password", "Host ID": "ECHO", "Mutex": "-", "Install Path": "%AppData%\\Install\\Host.exe", "Startup Name": "NetWire", "ActiveX Key": "-", "KeyLog Directory": "C:\\Users\\Administrator\\AppData\\Roaming\\Logs\\"} |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040C4B7 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegCloseKey,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, |
3_2_0040C4B7 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040E511 CryptUnprotectData,LocalFree, |
3_2_0040E511 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040EDD6 fopen,malloc,fclose,fread,fclose,CryptUnprotectData,sprintf,strcmp,strcmp, |
3_2_0040EDD6 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040D290 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, |
3_2_0040D290 |
Source: BiUwyvgVx6.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, |
3_2_00406453 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW, |
3_2_0040680D |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW, |
3_2_0040753D |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, |
3_2_00413A85 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose, |
3_2_0040DB1C |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose, |
3_2_00406F83 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose, |
3_2_00406390 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA, |
3_2_00406084 |
Source: Amcache.hve.16.dr |
String found in binary or memory: http://upx.sf.net |
Source: BiUwyvgVx6.exe |
String found in binary or memory: http://www.yandex.com |
Source: BiUwyvgVx6.exe |
String found in binary or memory: http://www.yandex.comsocks= |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte, |
3_2_00409953 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00411D8C GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetDIBits,calloc,GetDIBits,ReleaseDC,DeleteDC,DeleteObject,free, |
3_2_00411D8C |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte, |
3_2_00409953 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte, |
3_2_00409953 |
Source: BiUwyvgVx6.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown |
Source: BiUwyvgVx6.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: BiUwyvgVx6.exe, type: SAMPLE |
Matched rule: Detects NetWire RAT Author: ditekSHen |
Source: 3.2.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown |
Source: 3.2.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: 3.2.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects NetWire RAT Author: ditekSHen |
Source: 3.0.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown |
Source: 3.0.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: 3.0.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects NetWire RAT Author: ditekSHen |
Source: 00000003.00000002.1721560085.0000000000423000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: 00000003.00000000.1275114632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown |
Source: 00000003.00000002.1721519472.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown |
Source: 00000003.00000000.1275186965.0000000000422000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: Process Memory Space: BiUwyvgVx6.exe PID: 5680, type: MEMORYSTR |
Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 70D20000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 71CF0000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 72CC0000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 74350000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 778A0000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 73C90000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 75D80000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 75320000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 76180000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 77280000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 74090000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 75890000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 76380000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 77090000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 74190000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 75520000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 75990000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 75BB0000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 767C0000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 768D0000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 77480000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 77620000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 74210000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 742F0000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 755A0000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 75C30000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 76480000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 76950000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 755E0000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Memory allocated: 76990000 page read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00403047 |
3_2_00403047 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0041D049 |
3_2_0041D049 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00419463 |
3_2_00419463 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00415079 |
3_2_00415079 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00420420 |
3_2_00420420 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_004208C0 |
3_2_004208C0 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_004034D3 |
3_2_004034D3 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00414976 |
3_2_00414976 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00402E68 |
3_2_00402E68 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00416619 |
3_2_00416619 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040AEC6 |
3_2_0040AEC6 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00402AFC |
3_2_00402AFC |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00415ABF |
3_2_00415ABF |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00420F40 |
3_2_00420F40 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0041FF50 |
3_2_0041FF50 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040A728 |
3_2_0040A728 |
Source: BiUwyvgVx6.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: BiUwyvgVx6.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23 |
Source: BiUwyvgVx6.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: BiUwyvgVx6.exe, type: SAMPLE |
Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT |
Source: 3.2.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23 |
Source: 3.2.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: 3.2.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT |
Source: 3.0.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23 |
Source: 3.0.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: 3.0.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT |
Source: 00000003.00000002.1721560085.0000000000423000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: 00000003.00000000.1275114632.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23 |
Source: 00000003.00000002.1721519472.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23 |
Source: 00000003.00000000.1275186965.0000000000422000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: Process Memory Space: BiUwyvgVx6.exe PID: 5680, type: MEMORYSTR |
Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA, |
3_2_00406084 |
Source: BiUwyvgVx6.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: unknown |
Process created: C:\Users\user\Desktop\BiUwyvgVx6.exe "C:\Users\user\Desktop\BiUwyvgVx6.exe" |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 384 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00408417 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc, |
3_2_00408417 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040DCE9 push ecx; mov dword ptr [esp], 00423976h |
3_2_0040DD9F |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040DCE9 push ebp; mov dword ptr [esp], 0042398Ah |
3_2_0040DDD9 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040DCE9 push edx; mov dword ptr [esp], 00423997h |
3_2_0040DDF7 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040DCE9 push edx; mov dword ptr [esp], esi |
3_2_0040E394 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040A4BC push esi; mov dword ptr [esp], 00423347h |
3_2_0040A543 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00409953 push edi; mov dword ptr [esp], 00000091h |
3_2_00409980 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00409953 push ebp; mov dword ptr [esp], 00000090h |
3_2_0040998D |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00411D8C push edx; mov dword ptr [esp], edi |
3_2_00412058 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00409E61 push eax; mov dword ptr [esp], ebx |
3_2_00409FDE |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00406E04 push ecx; mov dword ptr [esp], ebx |
3_2_00406E69 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040262F push edx; mov dword ptr [esp], edi |
3_2_004027C8 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040262F push edx; mov dword ptr [esp], edi |
3_2_00402815 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040262F push edx; mov dword ptr [esp], edi |
3_2_004029B2 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_004146E1 push eax; mov dword ptr [esp], ebx |
3_2_0041470B |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040970C push eax; mov dword ptr [esp], 0042B4A0h |
3_2_004097B9 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec) |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Evasive API call chain: RegOpenKey,DecisionNodes,Sleep |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, |
3_2_00406453 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW, |
3_2_0040680D |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW, |
3_2_0040753D |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose, |
3_2_00413A85 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose, |
3_2_0040DB1C |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose, |
3_2_00406F83 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose, |
3_2_00406390 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA, |
3_2_00406084 |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.16.dr |
Binary or memory string: vmci.syshbin |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware, Inc. |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.16.dr |
Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.16.dr |
Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.16.dr |
Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.16.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.16.dr |
Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.16.dr |
Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.16.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.16.dr |
Binary or memory string: vmci.sys |
Source: BiUwyvgVx6.exe, 00000003.00000002.1721788478.000000000068E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9 |
Source: Amcache.hve.16.dr |
Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.16.dr |
Binary or memory string: \driver\vmci,\driver\pci |
Source: Amcache.hve.16.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware20,1 |
Source: Amcache.hve.16.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.16.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.16.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.16.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.16.dr |
Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.16.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d |
Source: Amcache.hve.16.dr |
Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\BiUwyvgVx6.exe |
Code function: 3_2_00408417 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc, |
3_2_00408417 |
Source: Amcache.hve.16.dr |
Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe |
Source: Amcache.hve.16.dr |
Binary or memory string: msmpeng.exe |
Source: Amcache.hve.16.dr |
Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.16.dr |
Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe |
Source: Amcache.hve.16.dr |
Binary or memory string: MsMpEng.exe |
Source: Yara match |
File source: BiUwyvgVx6.exe, type: SAMPLE |
Source: Yara match |
File source: 3.2.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.0.BiUwyvgVx6.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.1721560085.0000000000423000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000000.1275186965.0000000000422000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: BiUwyvgVx6.exe PID: 5680, type: MEMORYSTR |