Source: Yara match |
File source: vJsFBhrSfK.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: vJsFBhrSfK.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: Yara match |
File source: vJsFBhrSfK.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: vJsFBhrSfK.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DA10D0 |
0_2_00DA10D0 |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DA10CA |
0_2_00DA10CA |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DAF853 |
0_2_00DAF853 |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DAF84A |
0_2_00DAF84A |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DB61A3 |
0_2_00DB61A3 |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DA22C0 |
0_2_00DA22C0 |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DADAF3 |
0_2_00DADAF3 |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DAFA73 |
0_2_00DAFA73 |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DA1230 |
0_2_00DA1230 |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DA2DC0 |
0_2_00DA2DC0 |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DCE5B3 |
0_2_00DCE5B3 |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DA2640 |
0_2_00DA2640 |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DB7FC3 |
0_2_00DB7FC3 |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 228 |
Source: vJsFBhrSfK.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: vJsFBhrSfK.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal80.troj.winEXE@2/5@0/0 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6480 |
Source: vJsFBhrSfK.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: unknown |
Process created: C:\Users\user\Desktop\vJsFBhrSfK.exe "C:\Users\user\Desktop\vJsFBhrSfK.exe" |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 228 |
Source: vJsFBhrSfK.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DA3040 push eax; ret |
0_2_00DA3042 |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DB5040 push eax; iretd |
0_2_00DB5043 |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DA6167 push ebp; ret |
0_2_00DA616B |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DB7A84 pushad ; iretd |
0_2_00DB7A90 |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DB7B34 pushad ; retf |
0_2_00DB7B35 |
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe |
Code function: 0_2_00DB3560 push 00000076h; iretd |
0_2_00DB356F |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.3.dr |
Binary or memory string: vmci.syshbin |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware, Inc. |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.3.dr |
Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.3.dr |
Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.3.dr |
Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.3.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.3.dr |
Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.3.dr |
Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.3.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.3.dr |
Binary or memory string: vmci.sys |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0 |
Source: Amcache.hve.3.dr |
Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.3.dr |
Binary or memory string: \driver\vmci,\driver\pci |
Source: Amcache.hve.3.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware20,1 |
Source: Amcache.hve.3.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.3.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.3.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.3.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.3.dr |
Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.3.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.3.dr |
Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.3.dr |
Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe |
Source: Amcache.hve.3.dr |
Binary or memory string: msmpeng.exe |
Source: Amcache.hve.3.dr |
Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.3.dr |
Binary or memory string: MsMpEng.exe |
Source: Yara match |
File source: vJsFBhrSfK.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: vJsFBhrSfK.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |