Source: http://host-host-file8.com/ |
URL Reputation: Label: malware |
Source: host-file-host6.com |
Virustotal: Detection: 25% |
Perma Link |
Source: host-host-file8.com |
Virustotal: Detection: 21% |
Perma Link |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Joe Sandbox ML: detected |
Source: 00000001.00000002.314917602.00000000004A0000.00000004.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]} |
Source: CraHZCrkGP.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: |
Binary string: D#c'C:\cigawazelaxij\62-tuyibuw\vajuvami\cadafitibeges79-payipu.pdb`ZBP7@ source: CraHZCrkGP.exe, drsdbad.5.dr |
Source: |
Binary string: C:\cigawazelaxij\62-tuyibuw\vajuvami\cadafitibeges79-payipu.pdb source: CraHZCrkGP.exe, drsdbad.5.dr |
Source: C:\Windows\explorer.exe |
Domain query: host-file-host6.com |
Source: C:\Windows\explorer.exe |
Domain query: host-host-file8.com |
Source: Malware configuration extractor |
URLs: http://host-file-host6.com/ |
Source: Malware configuration extractor |
URLs: http://host-host-file8.com/ |
Source: Joe Sandbox View |
ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qxhuehga.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: host-file-host6.com |
Source: unknown |
HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qxhuehga.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: host-file-host6.com |
Source: unknown |
DNS traffic detected: queries for: host-file-host6.com |
Source: Yara match |
File source: 21.2.drsdbad.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.drsdbad.25a15a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.CraHZCrkGP.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.CraHZCrkGP.exe.26115a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000005.00000000.292819935.0000000002631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000015.00000002.374142486.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.314917602.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000015.00000002.374095976.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.315051537.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: CraHZCrkGP.exe, 00000000.00000002.247210114.000000000279A000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: CraHZCrkGP.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 1_2_0040180C Sleep,NtTerminateProcess, |
1_2_0040180C |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 1_2_00401818 Sleep,NtTerminateProcess, |
1_2_00401818 |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 1_2_00401822 Sleep,NtTerminateProcess, |
1_2_00401822 |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 1_2_00401826 Sleep,NtTerminateProcess, |
1_2_00401826 |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 1_2_00401834 Sleep,NtTerminateProcess, |
1_2_00401834 |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Code function: 21_2_0040180C Sleep,NtTerminateProcess, |
21_2_0040180C |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Code function: 21_2_00401818 Sleep,NtTerminateProcess, |
21_2_00401818 |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Code function: 21_2_00401822 Sleep,NtTerminateProcess, |
21_2_00401822 |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Code function: 21_2_00401826 Sleep,NtTerminateProcess, |
21_2_00401826 |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Code function: 21_2_00401834 Sleep,NtTerminateProcess, |
21_2_00401834 |
Source: CraHZCrkGP.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: CraHZCrkGP.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: drsdbad.5.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: drsdbad.5.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Windows\explorer.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: xmllite.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: CraHZCrkGP.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: drsdbad.5.dr |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: CraHZCrkGP.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\CraHZCrkGP.exe "C:\Users\user\Desktop\CraHZCrkGP.exe" |
|
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Process created: C:\Users\user\Desktop\CraHZCrkGP.exe "C:\Users\user\Desktop\CraHZCrkGP.exe" |
|
Source: unknown |
Process created: C:\Users\user\AppData\Roaming\drsdbad C:\Users\user\AppData\Roaming\drsdbad |
|
Source: C:\Users\user\AppData\Roaming\drsdbad |
Process created: C:\Users\user\AppData\Roaming\drsdbad C:\Users\user\AppData\Roaming\drsdbad |
|
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Process created: C:\Users\user\Desktop\CraHZCrkGP.exe "C:\Users\user\Desktop\CraHZCrkGP.exe" |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Process created: C:\Users\user\AppData\Roaming\drsdbad C:\Users\user\AppData\Roaming\drsdbad |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\explorer.exe |
File created: C:\Users\user\AppData\Roaming\drsdbad |
Jump to behavior |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@6/2@4/1 |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 0_2_027AB26D CreateToolhelp32Snapshot,Module32First, |
0_2_027AB26D |
Source: CraHZCrkGP.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: D#c'C:\cigawazelaxij\62-tuyibuw\vajuvami\cadafitibeges79-payipu.pdb`ZBP7@ source: CraHZCrkGP.exe, drsdbad.5.dr |
Source: |
Binary string: C:\cigawazelaxij\62-tuyibuw\vajuvami\cadafitibeges79-payipu.pdb source: CraHZCrkGP.exe, drsdbad.5.dr |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 0_2_027A607B push edx; retf 0073h |
0_2_027A608E |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 0_2_027AC16B push ebx; iretd |
0_2_027AC1AB |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 0_2_027A6035 push edi; retf 0073h |
0_2_027A6046 |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 0_2_027A601C push ecx; retf 0073h |
0_2_027A602E |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 0_2_027A6514 push 000073CAh; retf 0073h |
0_2_027A66EE |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 0_2_027B100C pushad ; iretd |
0_2_027B1012 |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 0_2_027A60DC push edx; retf 0073h |
0_2_027A60EE |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 0_2_027A60DC pushad ; retf 0073h |
0_2_027A614E |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 0_2_027AC180 push ebx; iretd |
0_2_027AC1AB |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 1_2_004011D0 push ebx; iretd |
1_2_00401217 |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 1_2_004011D7 push ebx; iretd |
1_2_00401217 |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 1_2_004011EB push ebx; iretd |
1_2_00401217 |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Code function: 21_2_004011D0 push ebx; iretd |
21_2_00401217 |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Code function: 21_2_004011D7 push ebx; iretd |
21_2_00401217 |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Code function: 21_2_004011EB push ebx; iretd |
21_2_00401217 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.43093136075961 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.43093136075961 |
Source: C:\Windows\explorer.exe |
File created: C:\Users\user\AppData\Roaming\drsdbad |
Jump to dropped file |
Source: C:\Windows\explorer.exe |
File created: C:\Users\user\AppData\Roaming\drsdbad |
Jump to dropped file |
Source: C:\Windows\explorer.exe |
File deleted: c:\users\user\desktop\crahzcrkgp.exe |
Jump to behavior |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\AppData\Roaming\drsdbad:Zone.Identifier read attributes | delete |
Jump to behavior |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 1912 |
Thread sleep count: 586 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 4860 |
Thread sleep count: 393 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 4860 |
Thread sleep time: -39300s >= -30000s |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 1220 |
Thread sleep count: 411 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 1220 |
Thread sleep time: -41100s >= -30000s |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 2168 |
Thread sleep count: 399 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 2536 |
Thread sleep count: 284 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Window / User API: threadDelayed 586 |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Window / User API: threadDelayed 393 |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Window / User API: threadDelayed 411 |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Window / User API: threadDelayed 399 |
Jump to behavior |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
System information queried: ModuleInformation |
Jump to behavior |
Source: explorer.exe, 00000005.00000000.271658717.0000000008142000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
Source: explorer.exe, 00000005.00000000.271658717.0000000008142000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: Prod_VMware_SATA |
Source: explorer.exe, 00000005.00000000.303278194.0000000008223000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n |
Source: explorer.exe, 00000005.00000000.258357036.0000000000680000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: _VMware_SATA_CD00#5&280b647& |
Source: explorer.exe, 00000005.00000000.291787671.000000000069D000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000005.00000000.280302190.0000000004287000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: -98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA |
Source: explorer.exe, 00000005.00000000.303278194.0000000008223000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: VMware SATA CD00 |
Source: explorer.exe, 00000005.00000000.272179570.0000000008290000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA |
Source: explorer.exe, 00000005.00000000.282454352.00000000062C4000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000005.00000000.303278194.0000000008223000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e |
Source: explorer.exe, 00000005.00000000.280302190.0000000004287000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0 |
Source: explorer.exe, 00000005.00000000.303278194.0000000008223000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^ |
Source: explorer.exe, 00000005.00000000.271968277.000000000820E000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000 |
Source: explorer.exe, 00000005.00000000.272560042.000000000832B000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f$:s |
Source: explorer.exe, 00000005.00000000.271658717.0000000008142000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 |
Source: explorer.exe, 00000005.00000000.303278194.0000000008223000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: VMware SATA CD00l |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
System information queried: CodeIntegrityInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\drsdbad |
System information queried: CodeIntegrityInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 0_2_027AAB4A push dword ptr fs:[00000030h] |
0_2_027AAB4A |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\explorer.exe |
File created: drsdbad.5.dr |
Jump to dropped file |
Source: C:\Windows\explorer.exe |
Domain query: host-file-host6.com |
Source: C:\Windows\explorer.exe |
Domain query: host-host-file8.com |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Section loaded: unknown target: C:\Windows\explorer.exe protection: read write |
Jump to behavior |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Section loaded: unknown target: C:\Windows\explorer.exe protection: read write |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read |
Jump to behavior |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Thread created: C:\Windows\explorer.exe EIP: 2631930 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Thread created: unknown EIP: 4A01930 |
Jump to behavior |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Process created: C:\Users\user\Desktop\CraHZCrkGP.exe "C:\Users\user\Desktop\CraHZCrkGP.exe" |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\drsdbad |
Process created: C:\Users\user\AppData\Roaming\drsdbad C:\Users\user\AppData\Roaming\drsdbad |
Jump to behavior |
Source: explorer.exe, 00000005.00000000.278658295.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.291768185.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.258363464.0000000000688000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ProgmanEXE^ |
Source: explorer.exe, 00000005.00000000.292399231.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.302629679.0000000008142000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.262213793.0000000005920000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: explorer.exe, 00000005.00000000.292399231.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.258555866.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.279081042.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Progman |
Source: explorer.exe, 00000005.00000000.292399231.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.258555866.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.279081042.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Progmanlock |
Source: explorer.exe, 00000005.00000000.278681639.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.258377155.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.291787671.000000000069D000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Shell_TrayWnd4 |
Source: explorer.exe, 00000005.00000000.292399231.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.258555866.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.279081042.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: WProgram Manager |
Source: C:\Windows\explorer.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: C:\Users\user\Desktop\CraHZCrkGP.exe |
Code function: 0_2_0041CC60 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
0_2_0041CC60 |
Source: Yara match |
File source: 21.2.drsdbad.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.drsdbad.25a15a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.CraHZCrkGP.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.CraHZCrkGP.exe.26115a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000005.00000000.292819935.0000000002631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000015.00000002.374142486.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.314917602.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000015.00000002.374095976.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.315051537.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 21.2.drsdbad.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 20.2.drsdbad.25a15a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.CraHZCrkGP.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.CraHZCrkGP.exe.26115a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000005.00000000.292819935.0000000002631000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000015.00000002.374142486.00000000005A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.314917602.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000015.00000002.374095976.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.315051537.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |