Source: 0.2.csshead.exe.50000.0.unpack | Avira: Label: TR/Crypt.XPACK.Gen |
Source: 1.2.explorer.exe.490000.5.unpack | Avira: Label: TR/Crypt.XPACK.Gen |
Source: 1.2.explorer.exe.7c0000.6.unpack | Avira: Label: TR/Crypt.XPACK.Gen |
Source: 0.2.csshead.exe.400000.1.unpack | Avira: Label: HEUR/AGEN.1023574 |
Source: 0.0.csshead.exe.400000.0.unpack | Avira: Label: TR/Crypt.XPACK.Gen |
Source: 0.1.csshead.exe.400000.0.unpack | Avira: Label: TR/Crypt.XPACK.Gen |
Source: 00000001.00000002.28504861757.007C0000.00000040.sdmp, type: MEMORY | Matched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score = |
Source: 00000000.00000002.27490223943.00050000.00000004.sdmp, type: MEMORY | Matched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score = |
Source: 0.2.csshead.exe.400000.1.unpack, type: UNPACKEDPE | Matched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score = |
Source: 0.2.csshead.exe.50000.0.unpack, type: UNPACKEDPE | Matched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score = |
Source: 1.2.explorer.exe.7c0000.6.unpack, type: UNPACKEDPE | Matched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score = |
Source: 1.2.explorer.exe.7c0000.6.raw.unpack, type: UNPACKEDPE | Matched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score = |
Source: 0.2.csshead.exe.50000.0.raw.unpack, type: UNPACKEDPE | Matched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score = |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_004017A2 CryptDecrypt,CryptDecrypt, | 0_2_004017A2 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_0040153C CryptGenRandom,CryptGenRandom, | 0_2_0040153C |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00401402 CryptHashData,CryptHashData, | 0_2_00401402 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_004017A4 CryptDecrypt,CryptDecrypt, | 0_2_004017A4 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00401AAE CryptEncrypt,CryptEncrypt, | 0_2_00401AAE |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_004017E8 CryptAcquireContextA,CryptAcquireContextA, | 0_2_004017E8 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00401574 CryptSetKeyParam,CryptSetKeyParam, | 0_2_00401574 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00401AB0 CryptEncrypt,CryptEncrypt, | 0_2_00401AB0 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00401374 CryptCreateHash,CryptCreateHash, | 0_2_00401374 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_004018A0 CryptImportKey,CryptImportKey, | 0_2_004018A0 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_004014D0 CryptDestroyHash,CryptDestroyHash, | 0_2_004014D0 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00401490 CryptGetHashParam,CryptGetHashParam, | 0_2_00401490 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00401404 CryptHashData,CryptHashData, | 0_2_00401404 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00401AF8 CryptDestroyKey,CryptDestroyKey, | 0_2_00401AF8 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00401B20 CryptReleaseContext,CryptReleaseContext, | 0_2_00401B20 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C17E8 CryptAcquireContextA,CryptAcquireContextA, | 1_2_007C17E8 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C18A0 CryptImportKey,CryptImportKey, | 1_2_007C18A0 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C153C CryptGenRandom,CryptGenRandom, | 1_2_007C153C |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C17A4 CryptDecrypt,CryptDecrypt, | 1_2_007C17A4 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C1574 CryptSetKeyParam,CryptSetKeyParam, | 1_2_007C1574 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C1AB0 CryptEncrypt,CryptEncrypt, | 1_2_007C1AB0 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C1404 CryptHashData,CryptHashData, | 1_2_007C1404 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C1374 CryptCreateHash,CryptCreateHash, | 1_2_007C1374 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C17A2 CryptDecrypt,CryptDecrypt, | 1_2_007C17A2 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C1B20 CryptReleaseContext,CryptReleaseContext, | 1_2_007C1B20 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C1402 CryptHashData,CryptHashData, | 1_2_007C1402 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C1AAE CryptEncrypt,CryptEncrypt, | 1_2_007C1AAE |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C1490 CryptGetHashParam,CryptGetHashParam, | 1_2_007C1490 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C1AF8 CryptDestroyKey,CryptDestroyKey, | 1_2_007C1AF8 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C14D0 CryptDestroyHash,CryptDestroyHash, | 1_2_007C14D0 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_004018A0 CryptImportKey,CryptImportKey, | 0_2_004018A0 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C18A0 CryptImportKey,CryptImportKey, | 1_2_007C18A0 |
Source: csshead.exe, 00000000.00000002.27490890262.00599000.00000004.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> | |
Source: C:\Windows\explorer.exe | File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F821 | Jump to dropped file |
Source: C:\Windows\explorer.exe | File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F5F320A94D4D2B4465D8F17E2BB2D351_0BA94B3A3CB67F245E2A70E0B581D64B | Jump to dropped file |
Source: C:\Windows\explorer.exe | File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 | Jump to dropped file |
Source: C:\Windows\explorer.exe | File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A9311CC87BA03C7CB180095ACB967E37 | Jump to dropped file |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 4x nop then pop ecx | 0_2_00409178 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 4x nop then pop ecx | 0_2_00409147 |
Source: C:\Windows\explorer.exe | Code function: 4x nop then pop ecx | 1_2_007C9178 |
Source: C:\Windows\explorer.exe | Code function: 4x nop then pop ecx | 1_2_007C9147 |
Source: unknown | DNS traffic detected: query: nvxij5qutl.net replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: rmqgc5frw3.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: zqvdnvokoq.net replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: pmtz1iirvr.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: tdgku3qbl1r.net replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: ktchyigkk2iwi3.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: gdelzlc224n5q9.net replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: s4v3xhn3swcbmbc.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: phyrnfojfwiyuz.net replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: hdylvm3db3ixvi.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: e45cukuntbcou.net replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: r5hfff2lnn9mn.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: titz9qqc5szt.net replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: fcs1fscxh2oa.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: gj2pexhfy95v.net replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: hp1sofo5bnc.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: tmmq5lcauha.net replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: hvzaduc42t2o.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: gvyn4bo2n3qq.net replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: hs1agojraguo.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: erz5yxeblneu.net replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: zo4q11gk3iyjgw.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 5v95xlfdzrj1de.net replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 4yony3itl9losv.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: tyou23hsrm.net replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: j4rjf2dtjl.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: n5k2ekq2ro.net replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: jdf2xx9wetn.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: 5julzwwlbkrgvm.net replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: b1l41m3rggg5nz.com replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: cwug3djg3reoa9.net replaycode: Name error (3) |
Source: unknown | DNS traffic detected: query: ushy2wtgwvny.com replaycode: Name error (3) |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadMenuA,LoadMenuA,LoadBitmapA,AppendMenuA,LoadMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,GetDIBits,GetDIBits,GetDIBits,GetDIBits,GetDIBits,SetWindowContextHelpId,GetDlgItem,GetDlgItem,SetWindowContextHelpId,mmioSetInfo,mmioAscend,GetSystemInfo,CloseHandle,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateFileA,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIco | 0_2_00419D20 |
Source: global traffic | HTTP traffic detected: GET /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: ocsp.pki.goog |
Source: global traffic | HTTP traffic detected: GET /GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCCIrzM%2FKFFw%2B HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: ocsp.pki.goog |
Source: global traffic | HTTP traffic detected: GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgO54qVnGaYpxjBEoQUm57uvQQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: ocsp.int-x3.letsencrypt.org |
Source: E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08.1.dr | String found in binary or memory: http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUx |
Source: F5F320A94D4D2B4465D8F17E2BB2D351_0BA94B3A3CB67F245E2A70E0B581D64B.1.dr | String found in binary or memory: http://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndn |
Source: CFE86DBBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F821.1.dr | String found in binary or memory: http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBq |
Source: csshead.exe, explorer.exe | String found in binary or memory: https:// |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49686 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49687 |
Source: unknown | Network traffic detected: HTTP traffic on port 49684 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49687 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49686 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49684 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_0040949C push 004094C8h; ret | 0_2_004094C0 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_004094E0 push 00409506h; ret | 0_2_004094FE |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_0040103C push 00401068h; ret | 0_2_00401060 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_0040107C push 004010A8h; ret | 0_2_004010A0 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00429267 push ebx; ret | 0_2_00429268 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00434271 push eax; retf | 0_2_00434272 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00429F35 push ecx; ret | 0_2_00429F48 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00434F2B pushad ; iretd | 0_2_00434F2C |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00432D21 pushfd ; retf 0043h | 0_2_00432D22 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C949C push 007C94C8h; ret | 1_2_007C94C0 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C103C push 007C1068h; ret | 1_2_007C1060 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C107C push 007C10A8h; ret | 1_2_007C10A0 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C94E0 push 007C9506h; ret | 1_2_007C94FE |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00403988 FindFirstFileA,FindClose, | 0_2_00403988 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00405640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose, | 0_2_00405640 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C5640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose, | 1_2_007C5640 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C3988 FindFirstFileA,FindClose, | 1_2_007C3988 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00404E94 NtQueryInformationProcess,ReadProcessMemory, | 0_2_00404E94 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00408A48 PostQuitMessage,NtdllDefWindowProc_A, | 0_2_00408A48 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00404DE0 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory, | 0_2_00404DE0 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00408A44 NtdllDefWindowProc_A, | 0_2_00408A44 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadMenuA,LoadMenuA,LoadBitmapA,AppendMenuA,LoadMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,GetDIBits,GetDIBits,GetDIBits,GetDIBits,GetDIBits,SetWindowContextHelpId,GetDlgItem,GetDlgItem,SetWindowContextHelpId,mmioSetInfo,mmioAscend,GetSystemInfo,CloseHandle,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateFileA,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIco | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00410210 NtdllDefWindowProc_A, | 0_2_00410210 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00421360 NtdllDefWindowProc_A, | 0_2_00421360 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00410190 IsWindow,GetWindowLongA,SetWindowLongA,NtdllDefWindowProc_A, | 0_2_00410190 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00417E60 GetWindowLongA,GetWindowLongA,GetWindowLongA,SetWindowLongA,NtdllDefWindowProc_A, | 0_2_00417E60 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_0041E9C0 SendMessageA,IsWindow,IsWindow,IsWindow,GetWindowLongA,SetWindowLongA,NtdllDefWindowProc_A, | 0_2_0041E9C0 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00417ED0 GetWindowLongA,GetWindowLongA,GetWindowLongA,SetWindowLongA,GetWindowLongA,OleUninitialize,OleInitialize,GetWindowTextLengthA,GetWindowTextA,SetWindowTextA,GlobalAlloc,GlobalFix,GlobalUnWire,lstrlen,SetWindowLongA,NtdllDefWindowProc_A, | 0_2_00417ED0 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00418620 NtdllDefWindowProc_A, | 0_2_00418620 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00410810 NtdllDefWindowProc_A, | 0_2_00410810 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00421620 NtdllDefWindowProc_A, | 0_2_00421620 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00418190 GetWindowLongA,GetWindowLongA,GetWindowLongA,SetWindowLongA,GetWindowLongA,OleUninitialize,OleInitialize,GetWindowTextLengthA,GetWindowTextA,SetWindowTextA,GlobalAlloc,GlobalFix,GlobalUnWire,SysFreeString,lstrlen,SysFreeString,SetWindowLongA,SysFreeString,NtdllDefWindowProc_A, | 0_2_00418190 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C8A48 PostQuitMessage,NtdllDefWindowProc_A, | 1_2_007C8A48 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C4E94 NtQueryInformationProcess,ReadProcessMemory, | 1_2_007C4E94 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C4DE0 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory, | 1_2_007C4DE0 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C8A44 NtdllDefWindowProc_A, | 1_2_007C8A44 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00405D20 | 0_2_00405D20 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00419D20 | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_0041C95B | 0_2_0041C95B |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_0043256D | 0_2_0043256D |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00430D58 | 0_2_00430D58 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00423AD0 | 0_2_00423AD0 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00430807 | 0_2_00430807 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_004302B6 | 0_2_004302B6 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_0042E76B | 0_2_0042E76B |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C5D20 | 1_2_007C5D20 |
Source: C:\Windows\explorer.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\explorer.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\explorer.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\explorer.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: csshead.exe, 00000000.00000001.27391130383.00456000.00000008.sdmp | Binary or memory string: OriginalFilenametemplate.exeJ vs csshead.exe |
Source: csshead.exe | Binary or memory string: OriginalFilenametemplate.exeJ vs csshead.exe |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Section loaded: open.dll | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadMenuA,LoadMenuA,LoadBitmapA,AppendMenuA,LoadMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,GetDIBits,GetDIBits,GetDIBits,GetDIBits,GetDIBits,SetWindowContextHelpId,GetDlgItem,GetDlgItem,SetWindowContextHelpId,mmioSetInfo,mmioAscend,GetSystemInfo,CloseHandle,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateFileA,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIco | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: Menu | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: Bitmap | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: Edit | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: WAV | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: Profile | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: .icm | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: .icm | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: Profile | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: .icm | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: Profile | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: .icm | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: Profile | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: .icm | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: Profile | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: .icm | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: Profile | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: .icm | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: Profile | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: .icm | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: Profile | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: .icm | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: Profile | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: .icm | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: Profile | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: .icm | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: Profile | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: .icm | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: Profile | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: .icm | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: Profile | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: Profile | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: .icm | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: open | 0_2_00419D20 |
Source: C:\Users\user\Desktop\csshead.exe | Command line argument: @G@ | 0_2_00419D20 |
Source: unknown | Process created: C:\Users\user\Desktop\csshead.exe 'C:\Users\user\Desktop\csshead.exe' | |
Source: unknown | Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe | |
Source: C:\Users\user\Desktop\csshead.exe | Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00404406 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree, | 0_2_00404406 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_004041C8 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,AllocateAndInitializeSid,EqualSid,FreeSid, | 0_2_004041C8 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_004024F8 mov eax, dword ptr fs:[00000030h] | 0_2_004024F8 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_01821560 mov eax, dword ptr fs:[00000030h] | 0_2_01821560 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_01823134 mov eax, dword ptr fs:[00000030h] | 0_2_01823134 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C24F8 mov eax, dword ptr fs:[00000030h] | 1_2_007C24F8 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_0042CA48 SetUnhandledExceptionFilter, | 0_2_0042CA48 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00424FEB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_00424FEB |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00429814 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_00429814 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C6DB0 GetTickCount,Sleep,GetTickCount, | 1_2_007C6DB0 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C6DC8 GetTickCount,Sleep,GetTickCount, | 1_2_007C6DC8 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00403988 FindFirstFileA,FindClose, | 0_2_00403988 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00405640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose, | 0_2_00405640 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C5640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose, | 1_2_007C5640 |
Source: C:\Windows\explorer.exe | Code function: 1_2_007C3988 FindFirstFileA,FindClose, | 1_2_007C3988 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadMenuA,LoadMenuA,LoadBitmapA,AppendMenuA,LoadMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,GetDIBits,GetDIBits,GetDIBits,GetDIBits,GetDIBits,SetWindowContextHelpId,GetDlgItem,GetDlgItem,SetWindowContextHelpId,mmioSetInfo,mmioAscend,GetSystemInfo,CloseHandle,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateFileA,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIco | 0_2_00419D20 |
Source: csshead.exe, 00000000.00000002.27490890262.00599000.00000004.sdmp | Binary or memory string: vmware |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00420B80 GetWindowLongA,SendMessageA,SendMessageA,GetWindowLongA,IsWindowVisible,IsIconic,ShowWindow,SendMessageA,GetWindowLongA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA, | 0_2_00420B80 |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_00406EEC LoadLibraryA,SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,CharLowerBuffA,SetupDiDestroyDeviceInfoList,SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,CharLowerBuffA,SetupDiDestroyDeviceInfoList, | 0_2_00406EEC |
Source: C:\Windows\explorer.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID | Jump to behavior |
Source: C:\Windows\explorer.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID | Jump to behavior |
Source: C:\Windows\explorer.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID | Jump to behavior |
Source: C:\Windows\explorer.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID | Jump to behavior |
Source: C:\Users\user\Desktop\csshead.exe | Code function: 0_2_0041C95B LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,CreateEventA,GetClassLongA,SetClassLongA,GetCursorPos,GetCursorPos,WaitForSingleObject,WaitNamedPipeA,CreateFileA,WaitNamedPipeA,CreateFileA,SetNamedPipeHandleState,CloseHandle,CloseHandle,WriteFile,ReadFile,WriteFile,CloseHandle,ReadFile,CloseHandle,LookupAccountNameA,LookupAccountNameA,GetLastError,GetLastError,GetLastError,GetLastError,LocalAlloc,LocalAlloc,GetLastError,LocalAlloc,GetLastError,LookupAccountNameA,GetLastError,LocalFree,SetStretchBltMode,SetStretchBltMode,SetAbortProc,DrawFrameControl,LoadImageA,SetWindowLongA,SetWindowLongA,CreateEventA,GetCursorPos,GetCursorPos,DragQueryFile,CreateRectRgnIndirect,WaitForSingleObject,EnableMenuItem,GetDlgItem,OleInitialize,RegisterDragDrop,GetTopWindow,RevokeDragDrop,OleUninitialize,SetMenuItemInfoA,GetLastError,DrawMenuBar,GetMenuItemInfoA,BeginPaint,EndPaint,GetClientRect,EnumDateFormatsA,lstrcmpi,lstrcmpi,lstrcmpi | 0_2_0041C95B |