Click to jump to signature section
Source: PO 455U90897QD.exe | ReversingLabs: Detection: 44% |
Source: PO 455U90897QD.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_00412038 | 0_2_00412038 |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_00427161 | 0_2_00427161 |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_0047E1FA | 0_2_0047E1FA |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_004212BE | 0_2_004212BE |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_00443390 | 0_2_00443390 |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_00443391 | 0_2_00443391 |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_0041A46B | 0_2_0041A46B |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_0041240C | 0_2_0041240C |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_00446566 | 0_2_00446566 |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_0041D750 | 0_2_0041D750 |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_004037E0 | 0_2_004037E0 |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_00427859 | 0_2_00427859 |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_00412818 | 0_2_00412818 |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_0040F890 | 0_2_0040F890 |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_0042397B | 0_2_0042397B |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_00409A40 | 0_2_00409A40 |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_00411B63 | 0_2_00411B63 |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_0047CBF0 | 0_2_0047CBF0 |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_0044EBBC | 0_2_0044EBBC |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_00412C38 | 0_2_00412C38 |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_0044ED9A | 0_2_0044ED9A |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_00423EBF | 0_2_00423EBF |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_00424F70 | 0_2_00424F70 |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: 0_2_0041AF0D | 0_2_0041AF0D |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: String function: 0041171A appears 37 times | |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: String function: 004021E0 appears 45 times | |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: String function: 0041718C appears 47 times | |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Code function: String function: 0040E6D0 appears 81 times | |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 232 |
Source: PO 455U90897QD.exe | Static PE information: No import functions for PE file found |
Source: PO 455U90897QD.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: classification engine | Classification label: mal64.winEXE@2/5@0/0 |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6216 |
Source: PO 455U90897QD.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: PO 455U90897QD.exe | ReversingLabs: Detection: 44% |
Source: unknown | Process created: C:\Users\user\Desktop\PO 455U90897QD.exe "C:\Users\user\Desktop\PO 455U90897QD.exe" |
Source: C:\Users\user\Desktop\PO 455U90897QD.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 232 |
Source: PO 455U90897QD.exe | Static PE information: real checksum: 0xa2135 should be: 0xcfe4f |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: Amcache.hve.4.dr | Binary or memory string: VMware |
Source: Amcache.hve.4.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.4.dr | Binary or memory string: vmci.syshbin |
Source: Amcache.hve.4.dr | Binary or memory string: VMware, Inc. |
Source: Amcache.hve.4.dr | Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.4.dr | Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.4.dr | Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.4.dr | Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20 |
Source: Amcache.hve.4.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.4.dr | Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.4.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: vmci.sys |
Source: Amcache.hve.4.dr | Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.4.dr | Binary or memory string: \driver\vmci,\driver\pci |
Source: Amcache.hve.4.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: VMware20,1 |
Source: Amcache.hve.4.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.4.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.4.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.4.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.4.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.4.dr | Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.4.dr | Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.4.dr | Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.4.dr | Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.4.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.4.dr | Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: PO 455U90897QD.exe | Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning |
Source: Amcache.hve.4.dr | Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe |
Source: Amcache.hve.4.dr | Binary or memory string: msmpeng.exe |
Source: Amcache.hve.4.dr | Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.4.dr | Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe |
Source: Amcache.hve.4.dr | Binary or memory string: MsMpEng.exe |