Source: barbecueappledos.pw |
Avira URL Cloud: Label: malware |
Source: keewoolas.pw |
Avira URL Cloud: Label: malware |
Source: bloockflad.pw |
Avira URL Cloud: Label: malware |
Source: revivalsecularas.pw |
Avira URL Cloud: Label: malware |
Source: killredls.pw |
Avira URL Cloud: Label: malware |
Source: steycools.pw |
Avira URL Cloud: Label: malware |
Source: bookgames.pw |
Avira URL Cloud: Label: malware |
Source: moskhoods.pw |
Avira URL Cloud: Label: malware |
Source: dayzilons.pw |
Avira URL Cloud: Label: malware |
Source: xXO3Bx1Gtv.exe |
Malware Configuration Extractor: LummaC {"C2 url": ["barbecueappledos.pw", "killredls.pw", "keewoolas.pw", "moskhoods.pw", "dayzilons.pw", "revivalsecularas.pw", "steycools.pw", "bloockflad.pw", "bookgames.pw"], "Build id": "KjGtqi--Zinfandel"} |
Source: barbecueappledos.pw |
Virustotal: Detection: 11% |
Perma Link |
Source: keewoolas.pw |
Virustotal: Detection: 15% |
Perma Link |
Source: revivalsecularas.pw |
Virustotal: Detection: 15% |
Perma Link |
Source: moskhoods.pw |
Virustotal: Detection: 16% |
Perma Link |
Source: steycools.pw |
Virustotal: Detection: 14% |
Perma Link |
Source: killredls.pw |
Virustotal: Detection: 15% |
Perma Link |
Source: dayzilons.pw |
Virustotal: Detection: 12% |
Perma Link |
Source: bookgames.pw |
Virustotal: Detection: 15% |
Perma Link |
Source: bloockflad.pw |
Virustotal: Detection: 14% |
Perma Link |
Source: xXO3Bx1Gtv.exe |
String decryptor: barbecueappledos.pw |
Source: xXO3Bx1Gtv.exe |
String decryptor: killredls.pw |
Source: xXO3Bx1Gtv.exe |
String decryptor: keewoolas.pw |
Source: xXO3Bx1Gtv.exe |
String decryptor: moskhoods.pw |
Source: xXO3Bx1Gtv.exe |
String decryptor: dayzilons.pw |
Source: xXO3Bx1Gtv.exe |
String decryptor: revivalsecularas.pw |
Source: xXO3Bx1Gtv.exe |
String decryptor: steycools.pw |
Source: xXO3Bx1Gtv.exe |
String decryptor: bloockflad.pw |
Source: xXO3Bx1Gtv.exe |
String decryptor: bookgames.pw |
Source: xXO3Bx1Gtv.exe |
String decryptor: lid=%s&j=%s&ver=4.0 |
Source: xXO3Bx1Gtv.exe |
String decryptor: TeslaBrowser/5.5 |
Source: xXO3Bx1Gtv.exe |
String decryptor: - Screen Resoluton: |
Source: xXO3Bx1Gtv.exe |
String decryptor: - Physical Installed Memory: |
Source: xXO3Bx1Gtv.exe |
String decryptor: Workgroup: - |
Source: xXO3Bx1Gtv.exe |
String decryptor: KjGtqi--Zinfandel |
Source: xXO3Bx1Gtv.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: Malware configuration extractor |
URLs: barbecueappledos.pw |
Source: Malware configuration extractor |
URLs: killredls.pw |
Source: Malware configuration extractor |
URLs: keewoolas.pw |
Source: Malware configuration extractor |
URLs: moskhoods.pw |
Source: Malware configuration extractor |
URLs: dayzilons.pw |
Source: Malware configuration extractor |
URLs: revivalsecularas.pw |
Source: Malware configuration extractor |
URLs: steycools.pw |
Source: Malware configuration extractor |
URLs: bloockflad.pw |
Source: Malware configuration extractor |
URLs: bookgames.pw |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_0041C04D |
0_2_0041C04D |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_00451804 |
0_2_00451804 |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_004188AD |
0_2_004188AD |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_00428172 |
0_2_00428172 |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_0041D97A |
0_2_0041D97A |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_004272D8 |
0_2_004272D8 |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_00409B60 |
0_2_00409B60 |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_0040F3C4 |
0_2_0040F3C4 |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_0041DB99 |
0_2_0041DB99 |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_00404BAE |
0_2_00404BAE |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_0044A439 |
0_2_0044A439 |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_0044DDD0 |
0_2_0044DDD0 |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_0040C5DC |
0_2_0040C5DC |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_0040CF58 |
0_2_0040CF58 |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_0040DF6A |
0_2_0040DF6A |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_00413777 |
0_2_00413777 |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_0041BF07 |
0_2_0041BF07 |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_00418F19 |
0_2_00418F19 |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 340 |
Source: xXO3Bx1Gtv.exe, 00000000.00000000.1632468259.00000000007D7000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameQvConnect32.EXEZ vs xXO3Bx1Gtv.exe |
Source: xXO3Bx1Gtv.exe |
Binary or memory string: OriginalFilenameQvConnect32.EXEZ vs xXO3Bx1Gtv.exe |
Source: xXO3Bx1Gtv.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal88.troj.evad.winEXE@2/5@0/0 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5100 |
Source: unknown |
Process created: C:\Users\user\Desktop\xXO3Bx1Gtv.exe "C:\Users\user\Desktop\xXO3Bx1Gtv.exe" |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 340 |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: xXO3Bx1Gtv.exe |
Static PE information: section name: ./PING/0 |
Source: xXO3Bx1Gtv.exe |
Static PE information: section name: ./PING/1 |
Source: xXO3Bx1Gtv.exe |
Static PE information: section name: ./PING/2 |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_00412B0A push ebx; retf 0004h |
0_2_00412B0D |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_00776574 push 0F370C96h; mov dword ptr [esp], esi |
0_2_0077657C |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_00401DCF push eax; mov dword ptr [esp], 00000000h |
0_2_00401DD4 |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_004686B1 push ecx; ret |
0_2_004686C4 |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_00415F5D push eax; ret |
0_2_00415F5E |
Source: xXO3Bx1Gtv.exe |
Static PE information: section name: .text entropy: 6.8060853503210135 |
Source: xXO3Bx1Gtv.exe |
Static PE information: section name: ./PING/0 entropy: 7.837674875091487 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.3.dr |
Binary or memory string: vmci.syshbin |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware, Inc. |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.3.dr |
Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.3.dr |
Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.3.dr |
Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.3.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.3.dr |
Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.3.dr |
Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.3.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.3.dr |
Binary or memory string: vmci.sys |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0 |
Source: Amcache.hve.3.dr |
Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.3.dr |
Binary or memory string: \driver\vmci,\driver\pci |
Source: Amcache.hve.3.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware20,1 |
Source: Amcache.hve.3.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.3.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.3.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.3.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.3.dr |
Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.3.dr |
Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.3.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.3.dr |
Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_00465ADF mov eax, dword ptr fs:[00000030h] |
0_2_00465ADF |
Source: C:\Users\user\Desktop\xXO3Bx1Gtv.exe |
Code function: 0_2_0045BEE6 mov ecx, dword ptr fs:[00000030h] |
0_2_0045BEE6 |
Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp |
String found in binary or memory: barbecueappledos.pw |
Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp |
String found in binary or memory: killredls.pw |
Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp |
String found in binary or memory: keewoolas.pw |
Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp |
String found in binary or memory: moskhoods.pw |
Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp |
String found in binary or memory: dayzilons.pw |
Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp |
String found in binary or memory: revivalsecularas.pw |
Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp |
String found in binary or memory: steycools.pw |
Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp |
String found in binary or memory: bloockflad.pw |
Source: xXO3Bx1Gtv.exe, 00000000.00000002.1760081514.0000000000481000.00000008.00000001.01000000.00000003.sdmp |
String found in binary or memory: bookgames.pw |
Source: Amcache.hve.3.dr |
Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe |
Source: Amcache.hve.3.dr |
Binary or memory string: msmpeng.exe |
Source: Amcache.hve.3.dr |
Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.3.dr |
Binary or memory string: MsMpEng.exe |