{"Host": "185.250.148.54", "Port": "4898", "Tor Port": "0", "Install Dir": "0", "Install File": "0", "Communication Password": "5e868314c93c46157fbd5b1adce630ff", "Tor Process Name": "tor"}
Source: 00000001.00000000.935850278.0000000000400000.00000040.00000001.sdmp | Malware Configuration Extractor: BitRat {"Host": "185.250.148.54", "Port": "4898", "Tor Port": "0", "Install Dir": "0", "Install File": "0", "Communication Password": "5e868314c93c46157fbd5b1adce630ff", "Tor Process Name": "tor"} |
Source: cyr8VsVRxv.exe | Binary or memory string: -----BEGIN PUBLIC KEY----- | |
Source: cyr8VsVRxv.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: | Binary string: C:\dezovegoj\xezanapabala96\hexixobuvukuhe\juhubag4\rodoy\h.pdb source: cyr8VsVRxv.exe |
Source: | Binary string: `C:\dezovegoj\xezanapabala96\hexixobuvukuhe\juhubag4\rodoy\h.pdb source: cyr8VsVRxv.exe |
Source: Malware configuration extractor | IPs: 185.250.148.54 |
Source: Joe Sandbox View | ASN Name: FIRSTDC-ASRU FIRSTDC-ASRU |
Source: global traffic | TCP traffic: 192.168.2.4:49754 -> 185.250.148.54:4898 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.250.148.54 |
Source: cyr8VsVRxv.exe, cyr8VsVRxv.exe, 00000001.00000000.935850278.0000000000400000.00000040.00000001.sdmp | String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_2_00415782 WSARecv, | 1_2_00415782 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Windows user hook set: 0 mouse low level NULL | Jump to behavior |
Source: cyr8VsVRxv.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_2_004113B9 | 1_2_004113B9 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_2_0068C54E | 1_2_0068C54E |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_2_0040EA72 | 1_2_0040EA72 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_2_0068DCD0 | 1_2_0068DCD0 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_1_00693097 | 1_1_00693097 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_1_006B126E | 1_1_006B126E |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_1_0068D297 | 1_1_0068D297 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_1_006AE329 | 1_1_006AE329 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: String function: 00411DDD appears 171 times | |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: String function: 0068A19C appears 129 times | |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: String function: 0068B440 appears 34 times | |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: String function: 006B9C3C appears 413 times | |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: String function: 006909D0 appears 86 times | |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_037C0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, | 0_2_037C0110 |
Source: cyr8VsVRxv.exe, 00000001.00000003.747429579.0000000003316000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs cyr8VsVRxv.exe |
Source: cyr8VsVRxv.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: cyr8VsVRxv.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: unknown | Process created: C:\Users\user\Desktop\cyr8VsVRxv.exe 'C:\Users\user\Desktop\cyr8VsVRxv.exe' | |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Process created: C:\Users\user\Desktop\cyr8VsVRxv.exe 'C:\Users\user\Desktop\cyr8VsVRxv.exe' | |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Process created: C:\Users\user\Desktop\cyr8VsVRxv.exe 'C:\Users\user\Desktop\cyr8VsVRxv.exe' | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB3-524F-11CE-9F53-0020AF0BA770}\InprocServer32 | Jump to behavior |
Source: classification engine | Classification label: mal76.troj.evad.winEXE@3/0@0/1 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Mutant created: \Sessions\1\BaseNamedObjects\afb3e877cc714e505f82dd992f785161 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_2_00422D5E __CxxThrowException@8,GetLastError,LoadResource,LockResource,SizeofResource, | 1_2_00422D5E |
Source: cyr8VsVRxv.exe | String found in binary or memory: id-cmc-addExtensions |
Source: cyr8VsVRxv.exe | String found in binary or memory: set-addPolicy |
Source: cyr8VsVRxv.exe | Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: cyr8VsVRxv.exe | Static file information: File size 1776128 > 1048576 |
Source: cyr8VsVRxv.exe | Static PE information: Raw size of .text is bigger than: 0x100000 < 0x19ce00 |
Source: cyr8VsVRxv.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: cyr8VsVRxv.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: cyr8VsVRxv.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: cyr8VsVRxv.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: cyr8VsVRxv.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: cyr8VsVRxv.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: cyr8VsVRxv.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: C:\dezovegoj\xezanapabala96\hexixobuvukuhe\juhubag4\rodoy\h.pdb source: cyr8VsVRxv.exe |
Source: | Binary string: `C:\dezovegoj\xezanapabala96\hexixobuvukuhe\juhubag4\rodoy\h.pdb source: cyr8VsVRxv.exe |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_03649666 push ebp; iretd | 0_2_0364966D |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_0364A461 push cs; ret | 0_2_0364A463 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_0364B56E push C042A0DCh; iretd | 0_2_0364B573 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_0364F177 push ss; retf | 0_2_0364F17A |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_0364B9E7 push ebp; ret | 0_2_0364B9E8 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_036498C4 push esi; iretd | 0_2_036498C5 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_0364B5A7 push ebx; ret | 0_2_0364B5AF |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_0364B1BA push esp; ret | 0_2_0364B1C6 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_0365048F push ss; retf | 0_2_036504AE |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_2_0068A4A9 push ecx; ret | 1_2_0068A4BC |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_2_0068B486 push ecx; ret | 1_2_0068B499 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_2_006B9C3C push eax; ret | 1_2_006B9C5A |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_2_006B9CDC push ecx; ret | 1_2_006B9CEC |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_1_0069909D pushad ; retf 0071h | 1_1_006990A0 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_00584E90 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, | 0_2_00584E90 |
Source: initial sample | Static PE information: section name: .text entropy: 7.95314540909 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Registry key monitored for changes: HKEY_CURRENT_USER_Classes | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7112 | Thread sleep count: 4452 > 30 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7112 | Thread sleep time: -44520s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7124 | Thread sleep time: -35000s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7128 | Thread sleep time: -11990383647911201s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7088 | Thread sleep count: 446 > 30 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7088 | Thread sleep time: -30000s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7112 | Thread sleep time: -10322220s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 5460 | Thread sleep time: -10163890s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 6616 | Thread sleep time: -20288198s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 6008 | Thread sleep time: -10144098s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7116 | Thread sleep time: -10332116s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7112 | Thread sleep time: -61408101s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7116 | Thread sleep time: -61398210s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread sleep count: Count: 4452 delay: -10 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Last function: Thread delayed |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread delayed: delay time: 10322220 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread delayed: delay time: 10163890 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread delayed: delay time: 10144099 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread delayed: delay time: 10144098 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread delayed: delay time: 10332116 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread delayed: delay time: 61408101 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread delayed: delay time: 61398210 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Window / User API: threadDelayed 4452 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Window / User API: threadDelayed 446 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_2_004090D7 new,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, | 1_2_004090D7 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread delayed: delay time: 10322220 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread delayed: delay time: 10163890 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread delayed: delay time: 10144099 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread delayed: delay time: 10144098 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread delayed: delay time: 10332116 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread delayed: delay time: 61408101 | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread delayed: delay time: 61398210 | Jump to behavior |
Source: cyr8VsVRxv.exe, 00000001.00000000.940880200.0000000000AEA000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Thread information set: HideFromDebugger | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_0057F2F0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_0057F2F0 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_00584E90 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, | 0_2_00584E90 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_2_0040F6F5 __EH_prolog,GetProcessHeap, | 1_2_0040F6F5 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Process token adjusted: Debug | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_036470A3 push dword ptr fs:[00000030h] | 0_2_036470A3 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_037C0042 push dword ptr fs:[00000030h] | 0_2_037C0042 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_2_006A482C mov eax, dword ptr fs:[00000030h] | 1_2_006A482C |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_0057F2F0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_0057F2F0 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_00581390 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_00581390 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_2_0068A7EA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 1_2_0068A7EA |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_2_00694A7C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 1_2_00694A7C |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_1_0068B743 SetUnhandledExceptionFilter, | 1_1_0068B743 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Memory written: C:\Users\user\Desktop\cyr8VsVRxv.exe base: 400000 value starts with: 4D5A | Jump to behavior |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_037C0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, | 0_2_037C0110 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Process created: C:\Users\user\Desktop\cyr8VsVRxv.exe 'C:\Users\user\Desktop\cyr8VsVRxv.exe' | Jump to behavior |
Source: cyr8VsVRxv.exe, 00000001.00000000.936422512.0000000000AEA000.00000004.00000020.sdmp | Binary or memory string: Program Managerc |
Source: cyr8VsVRxv.exe, 00000001.00000002.944500030.0000000001070000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: cyr8VsVRxv.exe, 00000001.00000002.944500030.0000000001070000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: cyr8VsVRxv.exe, 00000001.00000002.944500030.0000000001070000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: cyr8VsVRxv.exe, 00000001.00000003.916727219.00000000033C9000.00000004.00000001.sdmp | Binary or memory string: Program Managerrr |
Source: cyr8VsVRxv.exe, 00000001.00000000.942578555.00000000033C9000.00000004.00000001.sdmp | Binary or memory string: Program ManagerVtr |
Source: cyr8VsVRxv.exe, 00000001.00000000.936422512.0000000000AEA000.00000004.00000020.sdmp | Binary or memory string: Program Managerw |
Source: cyr8VsVRxv.exe, 00000001.00000002.944500030.0000000001070000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: cyr8VsVRxv.exe, 00000001.00000000.942578555.00000000033C9000.00000004.00000001.sdmp | Binary or memory string: Program Manager8u` |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: EnumSystemLocalesW, | 1_1_006AB108 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: EnumSystemLocalesW, | 1_1_006B4238 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: EnumSystemLocalesW, | 1_1_006B4283 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: EnumSystemLocalesW, | 1_1_006B431E |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 1_2_0040EA72 cpuid | 1_2_0040EA72 |
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe | Code function: 0_2_00585D60 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, | 0_2_00585D60 |
Source: Yara match | File source: 1.0.cyr8VsVRxv.exe.400000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.cyr8VsVRxv.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.cyr8VsVRxv.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.cyr8VsVRxv.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000001.00000000.935850278.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000000.940036093.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: cyr8VsVRxv.exe PID: 6952, type: MEMORYSTR |
Source: Yara match | File source: 1.0.cyr8VsVRxv.exe.400000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.0.cyr8VsVRxv.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.cyr8VsVRxv.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.cyr8VsVRxv.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000001.00000000.935850278.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000000.940036093.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: cyr8VsVRxv.exe PID: 6952, type: MEMORYSTR |