Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
ReversingLabs: Detection: 34% |
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI |
Source: Amcache.hve.3.dr |
String found in binary or memory: http://upx.sf.net |
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
String found in binary or memory: http://www.clamav.net |
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
String found in binary or memory: http://www.pcnet123.cn |
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
String found in binary or memory: http://www.pcnet123.cnOpenU |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0045B050 |
0_2_0045B050 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0047B0D0 |
0_2_0047B0D0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_004752F4 |
0_2_004752F4 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0045554C |
0_2_0045554C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: String function: 0040441C appears 87 times |
|
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6668 -s 232 |
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Static PE information: No import functions for PE file found |
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI |
Source: classification engine |
Classification label: mal64.winEXE@2/5@0/0 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6668 |
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
ReversingLabs: Detection: 34% |
Source: unknown |
Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe" |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6668 -s 232 |
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Static PE information: section name: .clam01 |
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Static PE information: section name: .clam02 |
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Static PE information: section name: .clam03 |
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Static PE information: section name: .clam04 |
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Static PE information: section name: .clam05 |
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Static PE information: section name: .clam06 |
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Static PE information: section name: .clam07 |
Source: SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Static PE information: section name: .clam08 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0047E04C push 0047E078h; ret |
0_2_0047E070 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_00468074 push 004680A0h; ret |
0_2_00468098 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_00456004 push 0045606Fh; ret |
0_2_00456067 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0047E014 push 0047E040h; ret |
0_2_0047E038 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_00468010 push 00468036h; ret |
0_2_0046802E |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0040E0C4 push 0040E240h; ret |
0_2_0040E238 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0047E084 push 0047E0B0h; ret |
0_2_0047E0A8 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0047E0BC push 0047E0E8h; ret |
0_2_0047E0E0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0041E178 push ecx; mov dword ptr [esp], edx |
0_2_0041E17A |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0047E12C push 0047E158h; ret |
0_2_0047E150 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_004841F8 push 00484224h; ret |
0_2_0048421C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0044E1FC push 0044E228h; ret |
0_2_0044E220 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0047E184 push 0047E1B0h; ret |
0_2_0047E1A8 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_00498184 push 004981B0h; ret |
0_2_004981A8 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0040E242 push 0040E2B3h; ret |
0_2_0040E2AB |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0040E244 push 0040E2B3h; ret |
0_2_0040E2AB |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0042A2C0 push 0042A390h; ret |
0_2_0042A388 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0040E322 push 0040E350h; ret |
0_2_0040E348 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0040E324 push 0040E350h; ret |
0_2_0040E348 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_004843D4 push 00484400h; ret |
0_2_004843F8 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_00464460 push ecx; mov dword ptr [esp], ecx |
0_2_00464465 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_00420438 push ecx; mov dword ptr [esp], edx |
0_2_0042043D |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_004664D8 push 0046651Bh; ret |
0_2_00466513 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0042A4A0 push 0042A4CCh; ret |
0_2_0042A4C4 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_004164B4 push ecx; mov dword ptr [esp], eax |
0_2_004164B5 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0042C554 push 0042C595h; ret |
0_2_0042C58D |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_00486538 push 00486564h; ret |
0_2_0048655C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0046653C push 00466588h; ret |
0_2_00466580 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0042C5D8 push 0042C610h; ret |
0_2_0042C608 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_00466594 push 004665C0h; ret |
0_2_004665B8 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Banker1.26916.10129.11946.exe |
Code function: 0_2_0042C5A0 push 0042C5CCh; ret |
0_2_0042C5C4 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.3.dr |
Binary or memory string: vmci.syshbin |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware, Inc. |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.3.dr |
Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.3.dr |
Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.3.dr |
Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.3.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.3.dr |
Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.3.dr |
Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.3.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.3.dr |
Binary or memory string: vmci.sys |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0 |
Source: Amcache.hve.3.dr |
Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.3.dr |
Binary or memory string: \driver\vmci,\driver\pci |
Source: Amcache.hve.3.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware20,1 |
Source: Amcache.hve.3.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.3.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.3.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.3.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.3.dr |
Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.3.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.3.dr |
Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.3.dr |
Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe |
Source: Amcache.hve.3.dr |
Binary or memory string: msmpeng.exe |
Source: Amcache.hve.3.dr |
Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.3.dr |
Binary or memory string: MsMpEng.exe |