Source: http://host-host-file8.com/ |
URL Reputation: Label: malware |
Source: host-file-host6.com |
Virustotal: Detection: 19% |
Perma Link |
Source: host-host-file8.com |
Virustotal: Detection: 17% |
Perma Link |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Joe Sandbox ML: detected |
Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]} |
Source: file.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Windows\SysWOW64\msvcr100.dll |
Jump to behavior |
Source: |
Binary string: C:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr |
Source: |
Binary string: cC:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr |
Source: C:\Windows\explorer.exe |
Domain query: host-file-host6.com |
Source: C:\Windows\explorer.exe |
Domain query: host-host-file8.com |
Source: Malware configuration extractor |
URLs: http://host-file-host6.com/ |
Source: Malware configuration extractor |
URLs: http://host-host-file8.com/ |
Source: Joe Sandbox View |
ASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE |
Source: Joe Sandbox View |
IP Address: 84.21.172.159 84.21.172.159 |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dkkgeh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: host-file-host6.com |
Source: explorer.exe, 00000001.00000000.333055694.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.303883320.000000000091F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.autoitscript.com/autoit3/J |
Source: unknown |
HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dkkgeh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: host-file-host6.com |
Source: unknown |
DNS traffic detected: queries for: host-file-host6.com |
Source: Yara match |
File source: 2.2.vvtsewb.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.vvtsewb.7c0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.vvtsewb.7b0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.7e0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.file.exe.800000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.292353244.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.401198999.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: vvtsewb, 00000002.00000002.412945082.00000000009CA000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: 00000002.00000002.412766859.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: 00000002.00000002.413033982.00000000009D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: 00000000.00000002.371129358.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: 00000000.00000002.371011318.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: file.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: 00000002.00000002.412766859.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: 00000002.00000002.413033982.00000000009D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: 00000000.00000002.371129358.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: 00000000.00000002.371011318.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040F025 |
0_2_0040F025 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004170DC |
0_2_004170DC |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004138E8 |
0_2_004138E8 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00413E2C |
0_2_00413E2C |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040C635 |
0_2_0040C635 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00414370 |
0_2_00414370 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004157C9 |
0_2_004157C9 |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_0040F025 |
2_2_0040F025 |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_004170DC |
2_2_004170DC |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_004138E8 |
2_2_004138E8 |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_00413E2C |
2_2_00413E2C |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_0040C635 |
2_2_0040C635 |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_00414370 |
2_2_00414370 |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_004157C9 |
2_2_004157C9 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040180C Sleep,NtTerminateProcess, |
0_2_0040180C |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00401818 Sleep,NtTerminateProcess, |
0_2_00401818 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00401822 Sleep,NtTerminateProcess, |
0_2_00401822 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00401826 Sleep,NtTerminateProcess, |
0_2_00401826 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00401834 Sleep,NtTerminateProcess, |
0_2_00401834 |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_0040180C Sleep,NtTerminateProcess, |
2_2_0040180C |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_00401818 Sleep,NtTerminateProcess, |
2_2_00401818 |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_00401822 Sleep,NtTerminateProcess, |
2_2_00401822 |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_00401826 Sleep,NtTerminateProcess, |
2_2_00401826 |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_00401834 Sleep,NtTerminateProcess, |
2_2_00401834 |
Source: file.exe |
Static PE information: Resource name: RT_VERSION type: x86 executable not stripped |
Source: vvtsewb.1.dr |
Static PE information: Resource name: RT_VERSION type: x86 executable not stripped |
Source: C:\Windows\explorer.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: file.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe |
Source: unknown |
Process created: C:\Users\user\AppData\Roaming\vvtsewb C:\Users\user\AppData\Roaming\vvtsewb |
Source: C:\Windows\explorer.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\explorer.exe |
File created: C:\Users\user\AppData\Roaming\vvtsewb |
Jump to behavior |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@2/2@4/1 |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_009DD28E CreateToolhelp32Snapshot,Module32First, |
2_2_009DD28E |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Windows\SysWOW64\msvcr100.dll |
Jump to behavior |
Source: file.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr |
Source: |
Binary string: cC:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr |
Source: C:\Users\user\Desktop\file.exe |
Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW; |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Unpacked PE file: 2.2.vvtsewb.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW; |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004011D0 push ebx; iretd |
0_2_00401217 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004011D7 push ebx; iretd |
0_2_00401217 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004011EB push ebx; iretd |
0_2_00401217 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040B4C1 push ecx; ret |
0_2_0040B4D4 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_007E1252 push ebx; iretd |
0_2_007E127E |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_007E123E push ebx; iretd |
0_2_007E127E |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_007E1237 push ebx; iretd |
0_2_007E127E |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_004011D0 push ebx; iretd |
2_2_00401217 |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_004011D7 push ebx; iretd |
2_2_00401217 |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_004011EB push ebx; iretd |
2_2_00401217 |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_0040B4C1 push ecx; ret |
2_2_0040B4D4 |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_009E2DA3 pushad ; iretd |
2_2_009E2DA9 |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_009DDF19 push ebx; iretd |
2_2_009DDF44 |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_009DDF04 push ebx; iretd |
2_2_009DDF44 |
Source: C:\Windows\explorer.exe |
File deleted: c:\users\user\desktop\file.exe |
Jump to behavior |
Source: C:\Windows\explorer.exe |
File opened: C:\Users\user\AppData\Roaming\vvtsewb:Zone.Identifier read attributes | delete |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 2772 |
Thread sleep count: 663 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 5792 |
Thread sleep count: 479 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 5792 |
Thread sleep time: -47900s >= -30000s |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 5820 |
Thread sleep count: 497 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 5820 |
Thread sleep time: -49700s >= -30000s |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 3100 |
Thread sleep count: 577 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 5068 |
Thread sleep count: 413 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 5068 |
Thread sleep time: -41300s >= -30000s |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 2372 |
Thread sleep count: 395 > 30 |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 2372 |
Thread sleep time: -39500s >= -30000s |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Last function: Thread delayed |
Source: C:\Windows\explorer.exe |
Last function: Thread delayed |
Source: C:\Windows\explorer.exe |
Window / User API: threadDelayed 663 |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Window / User API: threadDelayed 479 |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Window / User API: threadDelayed 497 |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Window / User API: threadDelayed 577 |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Window / User API: threadDelayed 413 |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Window / User API: threadDelayed 395 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
System information queried: ModuleInformation |
Jump to behavior |
Source: explorer.exe, 00000001.00000000.312651031.0000000008631000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
Source: explorer.exe, 00000001.00000000.368261187.00000000086E7000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i |
Source: explorer.exe, 00000001.00000000.368261187.00000000086E7000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000001.00000000.304766305.00000000043B0000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: explorer.exe, 00000001.00000000.368261187.00000000086E7000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000 |
Source: explorer.exe, 00000001.00000000.312651031.0000000008631000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 |
Source: C:\Users\user\Desktop\file.exe |
System information queried: CodeIntegrityInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
System information queried: CodeIntegrityInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_007E092B mov eax, dword ptr fs:[00000030h] |
0_2_007E092B |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_007E0D90 mov eax, dword ptr fs:[00000030h] |
0_2_007E0D90 |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Code function: 2_2_009DCB6B push dword ptr fs:[00000030h] |
2_2_009DCB6B |
Source: C:\Users\user\Desktop\file.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Domain query: host-file-host6.com |
Source: C:\Windows\explorer.exe |
Domain query: host-host-file8.com |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: unknown target: C:\Windows\explorer.exe protection: read write |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Section loaded: unknown target: C:\Windows\explorer.exe protection: read write |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Thread created: C:\Windows\explorer.exe EIP: 2901930 |
Jump to behavior |
Source: C:\Users\user\AppData\Roaming\vvtsewb |
Thread created: unknown EIP: 2971930 |
Jump to behavior |
Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.356626269.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.303967708.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: uProgram Manager*r |
Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.303967708.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Progman |
Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.303967708.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Progmanlock |
Source: explorer.exe, 00000001.00000000.332831091.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.351679837.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.303801289.0000000000878000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ProgmanLoc*U |
Source: C:\Windows\explorer.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: 2.2.vvtsewb.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.vvtsewb.7c0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.vvtsewb.7b0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.7e0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.file.exe.800000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.292353244.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.401198999.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 2.2.vvtsewb.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.3.vvtsewb.7c0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.vvtsewb.7b0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.file.exe.7e0e67.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.file.exe.800000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.292353244.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000003.401198999.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |