Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe |
Avira: detection malicious, Label: TR/Dropper.Gen |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe |
ReversingLabs: Detection: 86% |
Source: file.exe |
ReversingLabs: Detection: 86% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 81.4% probability |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe |
Joe Sandbox ML: detected |
Source: file.exe |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll |
Jump to behavior |
Source: file.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then mov dword ptr [ebp+10h], 00000057h |
0_2_00007FF8879C09E2 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then mov dword ptr [ebp+10h], 00000070h |
0_2_00007FF8879C09E2 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then mov dword ptr [ebp+10h], 0000008Dh |
0_2_00007FF8879C09E2 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then mov dword ptr [ebp+10h], 0000002Ch |
0_2_00007FF8879C0F46 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then mov dword ptr [ebp+10h], 0000007Fh |
0_2_00007FF8879C20BE |
Source: file.exe, 00000000.00000002.2683285299.0000000000D57000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: file.exe, 00000000.00000002.2683285299.0000000000D0C000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: file.exe, Windows.exe.0.dr |
String found in binary or memory: http://ip-api.com/line/?fields=hosting |
Source: file.exe, Windows.exe.0.dr |
String found in binary or memory: http://www.site.com/log.php |
Source: file.exe, Windows.exe.0.dr |
String found in binary or memory: https://www.google.com/search?q=how |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 7624, type: MEMORYSTR |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00007FF8879C09E2 |
0_2_00007FF8879C09E2 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00007FF8879C413E |
0_2_00007FF8879C413E |
Source: file.exe |
Static PE information: invalid certificate |
Source: file.exe |
Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: file.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: Windows.exe.0.dr |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: file.exe, check.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: file.exe, check.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: file.exe, check.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: Windows.exe.0.dr, check.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: Windows.exe.0.dr, check.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: Windows.exe.0.dr, check.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: classification engine |
Classification label: mal100.rans.adwa.evad.winEXE@1/4@0/0 |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Mutant created: NULL |
Source: C:\Users\user\Desktop\file.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Windows |
Source: file.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: file.exe |
Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98% |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: file.exe |
ReversingLabs: Detection: 86% |
Source: C:\Users\user\Desktop\file.exe |
File read: C:\Users\user\Desktop\file.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: riched20.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: usp10.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: msls31.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: cryptnet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: cabinet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: shfolder.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll |
Jump to behavior |
Source: file.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll |
Jump to behavior |
Source: file.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: file.exe |
Static PE information: section name: .text entropy: 7.353780498511655 |
Source: Windows.exe.0.dr |
Static PE information: section name: .text entropy: 7.353780498511655 |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe\:Zone.Identifier:$DATA |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: file.exe, Windows.exe.0.dr |
Binary or memory string: SBIEDLL.DLLMHTTP://IP-API.COM/LINE/?FIELDS=HOSTING |
Source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: SBIEDLL.DLL |
Source: C:\Users\user\Desktop\file.exe |
Memory allocated: 1090000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory allocated: 2EC0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory allocated: 1AEC0000 memory commit | memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe TID: 7712 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: LKD:\sources\replacementmanifests\microsoft-hyper-v-migration-replacement.man |
Source: Windows.exe.0.dr |
Binary or memory string: vmware |
Source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: %DetectVirtualMachine% |
Source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: TSD:\sources\replacementmanifests\microsoft-hyper-v-drivers-migration-replacement.man |
Source: file.exe, 00000000.00000002.2683285299.0000000000D57000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW0 |
Source: file.exe, 00000000.00000002.2689210405.000000001BB03000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWq1u |
Source: file.exe, Windows.exe.0.dr |
Binary or memory string: %Emulator%-%DetectVirtualMachine% |
Source: file.exe, 00000000.00000002.2689210405.000000001BB03000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: file.exe, Windows.exe.0.dr |
Binary or memory string: DetectVirtualMachine |
Source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: SRD:\sources\replacementmanifests\microsoft-hyper-v-client-migration-replacement.man |
Source: C:\Users\user\Desktop\file.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |