Click to jump to signature section
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | Avira: detection malicious, Label: TR/Dropper.Gen |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | ReversingLabs: Detection: 86% |
Source: file.exe | ReversingLabs: Detection: 86% |
Source: Submited Sample | Integrated Neural Analysis Model: Matched 81.4% probability |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | Joe Sandbox ML: detected |
Source: file.exe | Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\file.exe | File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll | Jump to behavior |
Source: file.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then mov dword ptr [ebp+10h], 00000057h | 0_2_00007FF8879C09E2 |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then mov dword ptr [ebp+10h], 00000070h | 0_2_00007FF8879C09E2 |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then mov dword ptr [ebp+10h], 0000008Dh | 0_2_00007FF8879C09E2 |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then mov dword ptr [ebp+10h], 0000002Ch | 0_2_00007FF8879C0F46 |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then mov dword ptr [ebp+10h], 0000007Fh | 0_2_00007FF8879C20BE |
Source: file.exe, 00000000.00000002.2683285299.0000000000D57000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: file.exe, 00000000.00000002.2683285299.0000000000D0C000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: file.exe, Windows.exe.0.dr | String found in binary or memory: http://ip-api.com/line/?fields=hosting |
Source: file.exe, Windows.exe.0.dr | String found in binary or memory: http://www.site.com/log.php |
Source: file.exe, Windows.exe.0.dr | String found in binary or memory: https://www.google.com/search?q=how |
Source: Yara match | File source: Process Memory Space: file.exe PID: 7624, type: MEMORYSTR |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00007FF8879C09E2 | 0_2_00007FF8879C09E2 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00007FF8879C413E | 0_2_00007FF8879C413E |
Source: file.exe | Static PE information: invalid certificate |
Source: file.exe | Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: file.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: Windows.exe.0.dr | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: file.exe, check.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: file.exe, check.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: file.exe, check.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: Windows.exe.0.dr, check.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: Windows.exe.0.dr, check.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: Windows.exe.0.dr, check.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: classification engine | Classification label: mal100.rans.adwa.evad.winEXE@1/4@0/0 |
Source: C:\Users\user\Desktop\file.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Mutant created: NULL |
Source: C:\Users\user\Desktop\file.exe | Mutant created: \Sessions\1\BaseNamedObjects\Windows |
Source: file.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: file.exe | Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98% |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: file.exe | ReversingLabs: Detection: 86% |
Source: C:\Users\user\Desktop\file.exe | File read: C:\Users\user\Desktop\file.exe | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: riched20.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: usp10.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: msls31.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: cryptnet.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: dhcpcsvc6.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: dhcpcsvc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: webio.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: cabinet.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: shfolder.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: wbemcomn.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll | Jump to behavior |
Source: file.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: C:\Users\user\Desktop\file.exe | File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll | Jump to behavior |
Source: file.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\. source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp |
Source: file.exe | Static PE information: section name: .text entropy: 7.353780498511655 |
Source: Windows.exe.0.dr | Static PE information: section name: .text entropy: 7.353780498511655 |
Source: C:\Users\user\Desktop\file.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe\:Zone.Identifier:$DATA | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: file.exe, Windows.exe.0.dr | Binary or memory string: SBIEDLL.DLLMHTTP://IP-API.COM/LINE/?FIELDS=HOSTING |
Source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: SBIEDLL.DLL |
Source: C:\Users\user\Desktop\file.exe | Memory allocated: 1090000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Memory allocated: 2EC0000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Memory allocated: 1AEC0000 memory commit | memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe TID: 7712 | Thread sleep time: -30000s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor |
Source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: LKD:\sources\replacementmanifests\microsoft-hyper-v-migration-replacement.man |
Source: Windows.exe.0.dr | Binary or memory string: vmware |
Source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: %DetectVirtualMachine% |
Source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: TSD:\sources\replacementmanifests\microsoft-hyper-v-drivers-migration-replacement.man |
Source: file.exe, 00000000.00000002.2683285299.0000000000D57000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW0 |
Source: file.exe, 00000000.00000002.2689210405.000000001BB03000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAWq1u |
Source: file.exe, Windows.exe.0.dr | Binary or memory string: %Emulator%-%DetectVirtualMachine% |
Source: file.exe, 00000000.00000002.2689210405.000000001BB03000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: file.exe, Windows.exe.0.dr | Binary or memory string: DetectVirtualMachine |
Source: file.exe, 00000000.00000002.2683873012.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: SRD:\sources\replacementmanifests\microsoft-hyper-v-client-migration-replacement.man |
Source: C:\Users\user\Desktop\file.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process token adjusted: Debug | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |