Source: http://host-host-file8.com/ |
URL Reputation: Label: malware |
Source: host-file-host6.com |
Virustotal: Detection: 25% |
Perma Link |
Source: host-host-file8.com |
Virustotal: Detection: 21% |
Perma Link |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Joe Sandbox ML: detected |
Source: 00000013.00000002.443589368.0000000000460000.00000004.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]} |
Source: ttguGDFHUX.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: |
Binary string: C:\warozopocir.pdb source: ttguGDFHUX.exe, vahfuah.5.dr |
Source: |
Binary string: k3C:\warozopocir.pdb`ZB source: ttguGDFHUX.exe, vahfuah.5.dr |
Source: C:\Windows\explorer.exe |
Domain query: host-file-host6.com |
Source: C:\Windows\explorer.exe |
Domain query: host-host-file8.com |
Source: Malware configuration extractor |
URLs: http://host-file-host6.com/ |
Source: Malware configuration extractor |
URLs: http://host-host-file8.com/ |
Source: Joe Sandbox View |
ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG |
Source: Joe Sandbox View |
IP Address: 34.118.39.10 34.118.39.10 |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://egppg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 324Host: host-file-host6.com |
Source: unknown |
HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://egppg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 324Host: host-file-host6.com |
Source: unknown |
DNS traffic detected: queries for: host-file-host6.com |
Source: Yara match |
File source: 0.2.ttguGDFHUX.exe.25615a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.vahfuah.26115a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.ttguGDFHUX.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.vahfuah.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.365673212.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.443589368.0000000000460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.443651918.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000000.349492248.00000000044F1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.365633312.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: ttguGDFHUX.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Code function: 1_2_0040180C Sleep,NtTerminateProcess, |
1_2_0040180C |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Code function: 1_2_00401818 Sleep,NtTerminateProcess, |
1_2_00401818 |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Code function: 1_2_00401822 Sleep,NtTerminateProcess, |
1_2_00401822 |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Code function: 1_2_00401826 Sleep,NtTerminateProcess, |
1_2_00401826 |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Code function: 1_2_00401834 Sleep,NtTerminateProcess, |
1_2_00401834 |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Code function: 19_2_0040180C Sleep,NtTerminateProcess, |
19_2_0040180C |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Code function: 19_2_00401818 Sleep,NtTerminateProcess, |
19_2_00401818 |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Code function: 19_2_00401822 Sleep,NtTerminateProcess, |
19_2_00401822 |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Code function: 19_2_00401826 Sleep,NtTerminateProcess, |
19_2_00401826 |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Code function: 19_2_00401834 Sleep,NtTerminateProcess, |
19_2_00401834 |
Source: ttguGDFHUX.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: ttguGDFHUX.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: vahfuah.5.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: vahfuah.5.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Windows\explorer.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: xmllite.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: ttguGDFHUX.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: vahfuah.5.dr |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: ttguGDFHUX.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\ttguGDFHUX.exe "C:\Users\user\Desktop\ttguGDFHUX.exe" |
|
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Process created: C:\Users\user\Desktop\ttguGDFHUX.exe "C:\Users\user\Desktop\ttguGDFHUX.exe" |
|
Source: unknown |
Process created: C:\Users\user\AppData\Roaming\vahfuah C:\Users\user\AppData\Roaming\vahfuah |
|
Source: C:\Users\user\AppData\Roaming\vahfuah |
Process created: C:\Users\user\AppData\Roaming\vahfuah C:\Users\user\AppData\Roaming\vahfuah |
|
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Process created: C:\Users\user\Desktop\ttguGDFHUX.exe "C:\Users\user\Desktop\ttguGDFHUX.exe" |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Process created: C:\Users\user\AppData\Roaming\vahfuah C:\Users\user\AppData\Roaming\vahfuah |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\explorer.exe |
File created: C:\Users\user\AppData\Roaming\vahfuah |
Jump to behavior |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@6/2@4/2 |
Source: ttguGDFHUX.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\warozopocir.pdb source: ttguGDFHUX.exe, vahfuah.5.dr |
Source: |
Binary string: k3C:\warozopocir.pdb`ZB source: ttguGDFHUX.exe, vahfuah.5.dr |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Code function: 1_2_004011D0 push ebx; iretd |
1_2_00401217 |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Code function: 1_2_004011D7 push ebx; iretd |
1_2_00401217 |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Code function: 1_2_004011EB push ebx; iretd |
1_2_00401217 |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Code function: 19_2_004011D0 push ebx; iretd |
19_2_00401217 |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Code function: 19_2_004011D7 push ebx; iretd |
19_2_00401217 |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Code function: 19_2_004011EB push ebx; iretd |
19_2_00401217 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.414029743857001 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.414029743857001 |
Source: C:\Windows\explorer.exe |
File created: C:\Users\user\AppData\Roaming\vahfuah |
Jump to dropped file |
Source: C:\Windows\explorer.exe |
File created: C:\Users\user\AppData\Roaming\vahfuah |
Jump to dropped file |
Source: C:\Windows\explorer.exe |
File deleted: c:\users\user\desktop\ttgugdfhux.exe |
Jump to behavior |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\AppData\Roaming\vahfuah:Zone.Identifier read attributes | delete |
Jump to behavior |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 1320 |
Thread sleep count: 575 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 1292 |
Thread sleep count: 266 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 1300 |
Thread sleep count: 271 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 5472 |
Thread sleep count: 440 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 5476 |
Thread sleep count: 114 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Window / User API: threadDelayed 575 |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Window / User API: threadDelayed 440 |
Jump to behavior |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
System information queried: ModuleInformation |
Jump to behavior |
Source: explorer.exe, 00000005.00000000.356253114.00000000080ED000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
Source: explorer.exe, 00000005.00000000.356253114.00000000080ED000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: Prod_VMware_SATA |
Source: explorer.exe, 00000005.00000000.316974919.0000000000680000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: _VMware_SATA_CD00#5&280b647& |
Source: explorer.exe, 00000005.00000000.317105362.000000000069D000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000005.00000000.307047727.0000000008223000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: VMware SATA CD00 |
Source: explorer.exe, 00000005.00000000.307047727.0000000008223000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t] |
Source: explorer.exe, 00000005.00000000.301543334.00000000062C4000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000005.00000000.307047727.0000000008223000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e |
Source: explorer.exe, 00000005.00000000.319383324.0000000004287000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0 |
Source: explorer.exe, 00000005.00000000.307047727.0000000008223000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^ |
Source: explorer.exe, 00000005.00000000.356923821.000000000820E000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000 |
Source: explorer.exe, 00000005.00000000.356253114.00000000080ED000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 |
Source: explorer.exe, 00000005.00000000.307047727.0000000008223000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: VMware SATA CD00l |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
System information queried: CodeIntegrityInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vahfuah |
System information queried: CodeIntegrityInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\explorer.exe |
File created: vahfuah.5.dr |
Jump to dropped file |
Source: C:\Windows\explorer.exe |
Domain query: host-file-host6.com |
Source: C:\Windows\explorer.exe |
Domain query: host-host-file8.com |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Section loaded: unknown target: C:\Windows\explorer.exe protection: read write |
Jump to behavior |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Section loaded: unknown target: C:\Windows\explorer.exe protection: read write |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read |
Jump to behavior |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Thread created: C:\Windows\explorer.exe EIP: 44F1930 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Thread created: unknown EIP: 4A01930 |
Jump to behavior |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Process created: C:\Users\user\Desktop\ttguGDFHUX.exe "C:\Users\user\Desktop\ttguGDFHUX.exe" |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vahfuah |
Process created: C:\Users\user\AppData\Roaming\vahfuah C:\Users\user\AppData\Roaming\vahfuah |
Jump to behavior |
Source: explorer.exe, 00000005.00000000.345762021.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.286557807.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.317011550.0000000000688000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ProgmanEXE^ |
Source: explorer.exe, 00000005.00000000.306306342.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.352465052.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.346490332.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: explorer.exe, 00000005.00000000.346490332.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.286913081.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.317787883.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Progman |
Source: explorer.exe, 00000005.00000000.346490332.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.286913081.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.317787883.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Progmanlock |
Source: explorer.exe, 00000005.00000000.345879179.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.286570440.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.317105362.000000000069D000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Shell_TrayWnd4 |
Source: explorer.exe, 00000005.00000000.346490332.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.286913081.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.317787883.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: WProgram Manager |
Source: C:\Windows\explorer.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: C:\Users\user\Desktop\ttguGDFHUX.exe |
Code function: 0_2_0041C9B0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
0_2_0041C9B0 |
Source: Yara match |
File source: 0.2.ttguGDFHUX.exe.25615a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.vahfuah.26115a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.ttguGDFHUX.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.vahfuah.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.365673212.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.443589368.0000000000460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.443651918.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000000.349492248.00000000044F1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.365633312.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 0.2.ttguGDFHUX.exe.25615a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 18.2.vahfuah.26115a0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.ttguGDFHUX.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 19.2.vahfuah.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.365673212.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.443589368.0000000000460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000013.00000002.443651918.00000000004D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000000.349492248.00000000044F1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.365633312.00000000004B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |