Source: http://173.230.145.224:8080/ |
Virustotal: Detection: 6% |
Perma Link |
Source: zeD11Fztx8.exe |
Virustotal: Detection: 82% |
Perma Link |
Source: zeD11Fztx8.exe |
ReversingLabs: Detection: 96% |
Source: zeD11Fztx8.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: zeD11Fztx8.exe |
Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: global traffic |
TCP traffic: 192.168.2.4:49746 -> 193.169.54.12:8080 |
Source: global traffic |
TCP traffic: 192.168.2.4:49757 -> 173.230.145.224:8080 |
Source: global traffic |
TCP traffic: 192.168.2.4:49763 -> 80.86.91.232:7080 |
Source: Joe Sandbox View |
IP Address: 193.169.54.12 193.169.54.12 |
Source: Joe Sandbox View |
IP Address: 193.169.54.12 193.169.54.12 |
Source: Joe Sandbox View |
IP Address: 80.86.91.232 80.86.91.232 |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 79.172.249.82:443Content-Length: 468Connection: Keep-AliveCache-Control: no-cacheData Raw: 77 ee 51 67 a8 c2 dc 38 20 bc 12 53 17 05 a1 e7 44 fa 23 2e b7 b8 71 13 ca 5f 34 cb 7d 0c be 09 5f d9 5a 5d 85 11 56 95 de d3 de 12 62 eb a8 08 e0 25 70 14 f1 93 c1 00 4a d5 23 a5 0e 77 2e d9 75 a6 89 1b 16 5a c1 dd 31 ce 32 df 13 a0 62 81 87 92 a5 75 31 ed 00 f4 09 08 7f ae 0e 3e f8 65 d0 b5 42 c2 d2 95 50 fe 33 48 54 55 da 3f 44 b3 df eb cb 47 92 31 e0 5c 2c 4d 46 89 f3 f7 e8 28 63 c8 8b 2d 43 6c f6 74 39 33 7f 21 86 82 16 e9 af 01 09 96 57 45 d8 63 20 47 a2 c1 62 3c 2d 74 bb 9d 73 46 51 ff 00 e2 16 99 bd 8a 96 75 c0 cc 9b 6b c8 76 2f 7d 1f 55 df 13 a3 4e 79 3d 0a 7d c1 09 f3 25 b0 1a 81 32 06 db 60 eb aa f9 77 7f 4f d5 65 00 d6 0f 40 ae d6 80 7d 6d d3 ee 85 09 f6 22 03 2f 33 e5 8b 34 8b db c6 73 67 06 01 9b 17 0a 4e 5b 3c f2 f3 aa 73 a9 cd 5f 3c 34 db da c3 54 41 f5 ea 56 26 df 67 5a 61 72 63 60 16 79 a7 db e1 af f6 2f 66 31 e2 88 4f 2d b7 94 7e cd ce 96 27 93 d4 79 59 88 98 23 46 23 99 b4 91 75 8e c1 dc 3b dd db f3 c3 0e 36 95 96 a2 94 42 6d b3 f7 b1 24 01 e7 71 a7 5e 9b 36 26 b2 96 3c 92 d8 90 7f db 79 c4 c3 fa 4e 68 ad ba 03 e9 19 9e d0 8a 2c 33 fb bd b2 75 f0 06 1f 2a 3f 5d 5b 6a 5d b5 14 d0 23 dd 58 78 93 f6 34 14 5e 10 ba 25 6e 54 d1 9d e9 4b b7 80 6f 7e 87 f1 04 26 22 80 65 b6 e1 bb f9 5c a2 ed 76 32 ff 84 0b d3 07 45 59 19 31 0c fe 79 50 52 83 bd d4 f3 e6 d7 cc e7 56 eb b7 23 59 81 8c 16 9c 72 74 e3 4a 61 67 88 c4 db bf 46 0d 23 37 4c 63 74 58 1e 57 77 32 e6 ef 17 cd 09 Data Ascii: wQg8 SD#.q_4}_Z]Vb%pJ#w.uZ12bu1>eBP3HTU?DG1\,MF(c-Clt93!WEc Gb<-tsFQukv/}UNy=}%2`wOe@}m"/34sgN[<s_<4TAV&gZarc`y/f1O-~'yY#F#u;6Bm$q^6&<yNh,3u*?][j]#Xx4^%nTKo~&"e\v2EY1yPRV#YrtJagF#7LctXWw2 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.172.249.82 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.172.249.82 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.172.249.82 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.172.249.82 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.172.249.82 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.172.249.82 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.169.54.12 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.169.54.12 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.169.54.12 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.230.145.224 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.230.145.224 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 173.230.145.224 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.86.91.232 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 80.86.91.232 |
Source: unknown |
HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 79.172.249.82:443Content-Length: 468Connection: Keep-AliveCache-Control: no-cacheData Raw: 77 ee 51 67 a8 c2 dc 38 20 bc 12 53 17 05 a1 e7 44 fa 23 2e b7 b8 71 13 ca 5f 34 cb 7d 0c be 09 5f d9 5a 5d 85 11 56 95 de d3 de 12 62 eb a8 08 e0 25 70 14 f1 93 c1 00 4a d5 23 a5 0e 77 2e d9 75 a6 89 1b 16 5a c1 dd 31 ce 32 df 13 a0 62 81 87 92 a5 75 31 ed 00 f4 09 08 7f ae 0e 3e f8 65 d0 b5 42 c2 d2 95 50 fe 33 48 54 55 da 3f 44 b3 df eb cb 47 92 31 e0 5c 2c 4d 46 89 f3 f7 e8 28 63 c8 8b 2d 43 6c f6 74 39 33 7f 21 86 82 16 e9 af 01 09 96 57 45 d8 63 20 47 a2 c1 62 3c 2d 74 bb 9d 73 46 51 ff 00 e2 16 99 bd 8a 96 75 c0 cc 9b 6b c8 76 2f 7d 1f 55 df 13 a3 4e 79 3d 0a 7d c1 09 f3 25 b0 1a 81 32 06 db 60 eb aa f9 77 7f 4f d5 65 00 d6 0f 40 ae d6 80 7d 6d d3 ee 85 09 f6 22 03 2f 33 e5 8b 34 8b db c6 73 67 06 01 9b 17 0a 4e 5b 3c f2 f3 aa 73 a9 cd 5f 3c 34 db da c3 54 41 f5 ea 56 26 df 67 5a 61 72 63 60 16 79 a7 db e1 af f6 2f 66 31 e2 88 4f 2d b7 94 7e cd ce 96 27 93 d4 79 59 88 98 23 46 23 99 b4 91 75 8e c1 dc 3b dd db f3 c3 0e 36 95 96 a2 94 42 6d b3 f7 b1 24 01 e7 71 a7 5e 9b 36 26 b2 96 3c 92 d8 90 7f db 79 c4 c3 fa 4e 68 ad ba 03 e9 19 9e d0 8a 2c 33 fb bd b2 75 f0 06 1f 2a 3f 5d 5b 6a 5d b5 14 d0 23 dd 58 78 93 f6 34 14 5e 10 ba 25 6e 54 d1 9d e9 4b b7 80 6f 7e 87 f1 04 26 22 80 65 b6 e1 bb f9 5c a2 ed 76 32 ff 84 0b d3 07 45 59 19 31 0c fe 79 50 52 83 bd d4 f3 e6 d7 cc e7 56 eb b7 23 59 81 8c 16 9c 72 74 e3 4a 61 67 88 c4 db bf 46 0d 23 37 4c 63 74 58 1e 57 77 32 e6 ef 17 cd 09 Data Ascii: wQg8 SD#.q_4}_Z]Vb%pJ#w.uZ12bu1>eBP3HTU?DG1\,MF(c-Clt93!WEc Gb<-tsFQukv/}UNy=}%2`wOe@}m"/34sgN[<s_<4TAV&gZarc`y/f1O-~'yY#F#u;6Bm$q^6&<yNh,3u*?][j]#Xx4^%nTKo~&"e\v2EY1yPRV#YrtJagF#7LctXWw2 |
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp |
String found in binary or memory: http://173.230.145.224:8080/ |
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp |
String found in binary or memory: http://173.230.145.224:8080/gP |
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp |
String found in binary or memory: http://173.230.145.224:8080/m |
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp |
String found in binary or memory: http://193.169.54.12:8080/ |
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp |
String found in binary or memory: http://193.169.54.12:8080// |
Source: storageservice.exe, 00000003.00000002.898800934.0000000001048000.00000004.00000020.sdmp |
String found in binary or memory: http://79.172.249.82:443/ |
Source: storageservice.exe, 00000003.00000002.898800934.0000000001048000.00000004.00000020.sdmp |
String found in binary or memory: http://79.172.249.82:443/$ |
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp |
String found in binary or memory: http://80.86.91.232:7080/ |
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp |
String found in binary or memory: http://80.86.91.232:7080/24 |
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp |
String found in binary or memory: http://80.86.91.232:7080/7 |
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp |
String found in binary or memory: http://80.86.91.232:7080/9.54.12:8080/; |
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp |
String found in binary or memory: http://80.86.91.232:7080/G |
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp |
String found in binary or memory: http://80.86.91.232:7080/ed |
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp |
String found in binary or memory: http://80.86.91.232:7080/h |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49738 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49738 -> 443 |
Source: zeD11Fztx8.exe, 00000000.00000002.633588654.0000000000C8A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Yara match |
File source: zeD11Fztx8.exe, type: SAMPLE |
Source: Yara match |
File source: 00000001.00000002.640361081.0000000001381000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.638984509.0000000001381000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000000.633157257.0000000001381000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000000.639793428.0000000001381000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.898946523.0000000001381000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.632271273.0000000001381000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.640209506.0000000001381000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 3.2.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.0.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.0.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE |
Source: zeD11Fztx8.exe, type: SAMPLE |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 3.2.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 1.2.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 3.0.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 2.2.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 0.0.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 1.0.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 2.0.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE |
Matched rule: Emotet Payload Author: kevoreilly |
Source: 0.2.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE |
Matched rule: Emotet Payload Author: kevoreilly |
Source: C:\Windows\SysWOW64\storageservice.exe |
File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache |
Jump to behavior |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
File deleted: C:\Windows\SysWOW64\storageservice.exe:Zone.Identifier |
Jump to behavior |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
Code function: 0_2_01386E70 |
0_2_01386E70 |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
Code function: 0_2_013877F0 |
0_2_013877F0 |
Source: zeD11Fztx8.exe, 00000001.00000002.641022607.0000000003780000.00000002.00000001.sdmp |
Binary or memory string: System.OriginalFileName vs zeD11Fztx8.exe |
Source: zeD11Fztx8.exe, 00000001.00000002.641157550.0000000003870000.00000002.00000001.sdmp |
Binary or memory string: originalfilename vs zeD11Fztx8.exe |
Source: zeD11Fztx8.exe, 00000001.00000002.641157550.0000000003870000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs zeD11Fztx8.exe |
Source: zeD11Fztx8.exe |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: zeD11Fztx8.exe, type: SAMPLE |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 3.2.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 1.2.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 3.0.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 2.2.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 0.0.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 1.0.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 2.0.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 0.2.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE |
Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: classification engine |
Classification label: mal96.troj.evad.winEXE@9/0@0/4 |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
Code function: 0_2_01382110 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, |
0_2_01382110 |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Global\I7AD90449 |
Source: C:\Windows\SysWOW64\storageservice.exe |
Mutant created: \BaseNamedObjects\Global\I7AD90449 |
Source: C:\Windows\SysWOW64\storageservice.exe |
Mutant created: \BaseNamedObjects\M7B1EF2AC |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Global\M7AD90449 |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
Mutant created: \Sessions\1\BaseNamedObjects\MAA169F89 |
Source: zeD11Fztx8.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: zeD11Fztx8.exe |
Virustotal: Detection: 82% |
Source: zeD11Fztx8.exe |
ReversingLabs: Detection: 96% |
Source: unknown |
Process created: C:\Users\user\Desktop\zeD11Fztx8.exe 'C:\Users\user\Desktop\zeD11Fztx8.exe' |
|
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
Process created: C:\Users\user\Desktop\zeD11Fztx8.exe C:\Users\user\Desktop\zeD11Fztx8.exe |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\storageservice.exe C:\Windows\SysWOW64\storageservice.exe |
|
Source: C:\Windows\SysWOW64\storageservice.exe |
Process created: C:\Windows\SysWOW64\storageservice.exe C:\Windows\SysWOW64\storageservice.exe |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
|
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
Process created: C:\Users\user\Desktop\zeD11Fztx8.exe C:\Users\user\Desktop\zeD11Fztx8.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\storageservice.exe |
Process created: C:\Windows\SysWOW64\storageservice.exe C:\Windows\SysWOW64\storageservice.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Jump to behavior |
Source: zeD11Fztx8.exe |
Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
Code function: 0_2_01381F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree, |
0_2_01381F40 |
Source: C:\Windows\SysWOW64\storageservice.exe |
Executable created and started: C:\Windows\SysWOW64\storageservice.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
PE file moved: C:\Windows\SysWOW64\storageservice.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
File opened: C:\Windows\SysWOW64\storageservice.exe:Zone.Identifier read attributes | delete |
Jump to behavior |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Jump to behavior |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
API coverage: 6.5 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
File Volume queried: C:\ FullSizeInformation |
Jump to behavior |
Source: svchost.exe, 0000000D.00000002.841710504.000001EEB86B0000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.880141754.000002BBEBD40000.00000002.00000001.sdmp |
Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: storageservice.exe, 00000003.00000003.827346434.0000000001096000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW |
Source: svchost.exe, 0000000D.00000002.841710504.000001EEB86B0000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.880141754.000002BBEBD40000.00000002.00000001.sdmp |
Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: svchost.exe, 0000000D.00000002.841710504.000001EEB86B0000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.880141754.000002BBEBD40000.00000002.00000001.sdmp |
Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW(N |
Source: svchost.exe, 0000000D.00000002.841710504.000001EEB86B0000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.880141754.000002BBEBD40000.00000002.00000001.sdmp |
Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Windows\SysWOW64\storageservice.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
Code function: 0_2_01381F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree, |
0_2_01381F40 |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
Code function: 0_2_01381BE0 mov eax, dword ptr fs:[00000030h] |
0_2_01381BE0 |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
Code function: 0_2_013815B0 GetModuleFileNameW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,CreateEventW,CreateMutexW,CloseHandle,GetLastError,SetEvent,CloseHandle,CloseHandle,memset,CreateProcessW,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,CloseHandle, |
0_2_013815B0 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\storageservice.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\zeD11Fztx8.exe |
Code function: 0_2_01388D50 RtlGetVersion,GetNativeSystemInfo, |
0_2_01388D50 |
Source: C:\Windows\SysWOW64\storageservice.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: zeD11Fztx8.exe, type: SAMPLE |
Source: Yara match |
File source: 00000001.00000002.640361081.0000000001381000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.638984509.0000000001381000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000000.633157257.0000000001381000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000000.639793428.0000000001381000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.898946523.0000000001381000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.632271273.0000000001381000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.640209506.0000000001381000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 3.2.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.0.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.0.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE |