Source: 00000003.00000002.1038188324.00000000022D0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=7FA6B3"} |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Virustotal: Detection: 39% |
Perma Link |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
ReversingLabs: Detection: 27% |
Source: Yara match |
File source: 0000000F.00000002.5679272163.000000000302B000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ieinstal.exe PID: 5020, type: MEMORYSTR |
Source: C:\Users\user\AppData\Local\Temp\Agerhnsjagtfi\Countysygej.exe |
Virustotal: Detection: 39% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\Agerhnsjagtfi\Countysygej.exe |
ReversingLabs: Detection: 27% |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://onedrive.live.com/download?cid=7FA6B3 |
Source: unknown |
DNS query: name: olufem.ddns.net |
Source: Joe Sandbox View |
ASN Name: TMNET-AS-APTMNetInternetServiceProviderMY TMNET-AS-APTMNetInternetServiceProviderMY |
Source: global traffic |
TCP traffic: 192.168.11.20:49768 -> 124.82.81.98:6111 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp |
String found in binary or memory: https://7ybh4q.bn.files.1drv.com/ |
Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp |
String found in binary or memory: https://7ybh4q.bn.files.1drv.com/D |
Source: ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp |
String found in binary or memory: https://7ybh4q.bn.files.1drv.com/f |
Source: ieinstal.exe, 0000000F.00000003.951398551.0000000002FD8000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5677573236.0000000002FD8000.00000004.00000020.sdmp, ieinstal.exe, 0000000F.00000003.951864678.0000000003030000.00000004.00000001.sdmp |
String found in binary or memory: https://7ybh4q.bn.files.1drv.com/y4mrYMhoGbjFe4lMap9L9LeL2yBCYdzRMAuRmtg6XK6YTbK2Pi7yHWQHU8EnZiLbINN |
Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmp |
String found in binary or memory: https://onedrive.live.com/ |
Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmp |
String found in binary or memory: https://onedrive.live.com/E |
Source: ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmp |
String found in binary or memory: https://onedrive.live.com/download?cid=7FA6B3539DFD0E74&resid=7FA6B3539DFD0E74%211122&authkey=AFlmPX |
Source: unknown |
DNS traffic detected: queries for: onedrive.live.com |
Source: Yara match |
File source: 0000000F.00000002.5679272163.000000000302B000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ieinstal.exe PID: 5020, type: MEMORYSTR |
Source: initial sample |
Static PE information: Filename: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Source: initial sample |
Static PE information: Filename: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Static file information: Suspicious name |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD82A |
3_2_022DD82A |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D8863 |
3_2_022D8863 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DB5A0 |
3_2_022DB5A0 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DFDCF |
3_2_022DFDCF |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DEA2B |
3_2_022DEA2B |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D1E67 |
3_2_022D1E67 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D1272 |
3_2_022D1272 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D1E5C |
3_2_022D1E5C |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DDF39 |
3_2_022DDF39 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D6F34 |
3_2_022D6F34 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D6F0E |
3_2_022D6F0E |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD76D |
3_2_022DD76D |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DDF76 |
3_2_022DDF76 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DDF44 |
3_2_022DDF44 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D67AF |
3_2_022D67AF |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DDFA4 |
3_2_022DDFA4 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D47EF |
3_2_022D47EF |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D6FF3 |
3_2_022D6FF3 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D67C6 |
3_2_022D67C6 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD82C |
3_2_022DD82C |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D7824 |
3_2_022D7824 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D6820 |
3_2_022D6820 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DF032 |
3_2_022DF032 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D481B |
3_2_022D481B |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD863 |
3_2_022DD863 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD8BF |
3_2_022DD8BF |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DB48A |
3_2_022DB48A |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D7093 |
3_2_022D7093 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D08F9 |
3_2_022D08F9 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD8CC |
3_2_022DD8CC |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D48C3 |
3_2_022D48C3 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D70DE |
3_2_022D70DE |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D4933 |
3_2_022D4933 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD903 |
3_2_022DD903 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D4967 |
3_2_022D4967 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D0943 |
3_2_022D0943 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D495D |
3_2_022D495D |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D8556 |
3_2_022D8556 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DB5AB |
3_2_022DB5AB |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D11B1 |
3_2_022D11B1 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D498F |
3_2_022D498F |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D41F7 |
3_2_022D41F7 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D11F3 |
3_2_022D11F3 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D41C0 |
3_2_022D41C0 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 15_2_02CF0710 |
15_2_02CF0710 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD82A NtAllocateVirtualMemory, |
3_2_022DD82A |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D8863 NtWriteVirtualMemory, |
3_2_022D8863 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DF872 NtProtectVirtualMemory, |
3_2_022DF872 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DDA3B NtAllocateVirtualMemory, |
3_2_022DDA3B |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DDA6A NtAllocateVirtualMemory, |
3_2_022DDA6A |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DDAA6 NtAllocateVirtualMemory, |
3_2_022DDAA6 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DDAD3 NtAllocateVirtualMemory, |
3_2_022DDAD3 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DDB38 NtAllocateVirtualMemory, |
3_2_022DDB38 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DDB00 NtAllocateVirtualMemory, |
3_2_022DDB00 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DDB76 NtAllocateVirtualMemory, |
3_2_022DDB76 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DDBC7 NtAllocateVirtualMemory, |
3_2_022DDBC7 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD82C NtAllocateVirtualMemory, |
3_2_022DD82C |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DDC13 NtAllocateVirtualMemory, |
3_2_022DDC13 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD863 NtAllocateVirtualMemory, |
3_2_022DD863 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D887B NtWriteVirtualMemory, |
3_2_022D887B |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD8BF NtAllocateVirtualMemory, |
3_2_022DD8BF |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD8CC NtAllocateVirtualMemory, |
3_2_022DD8CC |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD93B NtAllocateVirtualMemory, |
3_2_022DD93B |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD903 NtAllocateVirtualMemory, |
3_2_022DD903 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D896B NtWriteVirtualMemory, |
3_2_022D896B |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD9B2 NtAllocateVirtualMemory, |
3_2_022DD9B2 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD983 NtAllocateVirtualMemory, |
3_2_022DD983 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD9E5 NtAllocateVirtualMemory, |
3_2_022DD9E5 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 15_2_02CF0B83 Sleep,NtProtectVirtualMemory, |
15_2_02CF0B83 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 15_2_02CF0C78 NtProtectVirtualMemory, |
15_2_02CF0C78 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 15_2_02CF0CC8 NtProtectVirtualMemory, |
15_2_02CF0CC8 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 15_2_02CF0C47 NtProtectVirtualMemory, |
15_2_02CF0C47 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 15_2_02CF0BD8 NtProtectVirtualMemory, |
15_2_02CF0BD8 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 15_2_02CF0D17 NtProtectVirtualMemory, |
15_2_02CF0D17 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 15_2_02CF0C7F NtProtectVirtualMemory, |
15_2_02CF0C7F |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 15_2_02CF0C77 NtProtectVirtualMemory, |
15_2_02CF0C77 |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000000.602674209.000000000041C000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameGRUDGEFULUNNOT.exe vs Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Binary or memory string: OriginalFilenameGRUDGEFULUNNOT.exe vs Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Countysygej.exe.15.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Section loaded: edgegdi.dll |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Section loaded: edgegdi.dll |
Jump to behavior |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Static PE information: invalid certificate |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Virustotal: Detection: 39% |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
ReversingLabs: Detection: 27% |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" |
|
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" |
|
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winEXE@3/3@10/1 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Mutant created: \Sessions\1\BaseNamedObjects\audiotsk-5IOG84 |
Source: Yara match |
File source: 00000003.00000002.1038188324.00000000022D0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000000F.00000000.759017370.0000000002CE0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_00407484 push 1002C579h; iretd |
3_2_00407491 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_00404764 push esi; ret |
3_2_0040488D |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D9605 push es; iretd |
3_2_022D9615 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D5A4B pushad ; retf |
3_2_022D5A4E |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D037F push ds; ret |
3_2_022D0516 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D03BB push ds; ret |
3_2_022D0516 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D0383 push ds; ret |
3_2_022D0516 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DA7FF push cs; iretd |
3_2_022DA806 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D043F push ds; ret |
3_2_022D0516 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D0403 push ds; ret |
3_2_022D0516 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D046F push ds; ret |
3_2_022D0516 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D04A7 push ds; ret |
3_2_022D0516 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D04EC push ds; ret |
3_2_022D0516 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D0CD1 push ds; ret |
3_2_022D0D73 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D0CD3 push ds; ret |
3_2_022D0D73 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D116B pushfd ; iretd |
3_2_022D116C |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D95F5 push es; iretd |
3_2_022D9615 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
File created: \hong tak engineering sb payment receipt 241121_pdf.exe |
|
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
File created: \hong tak engineering sb payment receipt 241121_pdf.exe |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tanadarforurenings |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Tanadarforurenings |
Jump to behavior |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039492404.0000000002CF0000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039492404.0000000002CF0000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=\COUNTYSYGEJ.EXE\AGERHNSJAGTFISOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNTANADARFORURENINGSHTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=7FA6B3539DFD0E74&RESID=7FA6B3539DFD0E74%211122&AUTHKEY=AFLMPX3MS1VU7IU |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 8196 |
Thread sleep count: 9176 > 30 |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 8196 |
Thread sleep time: -45880s >= -30000s |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Window / User API: threadDelayed 9176 |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Window / User API: foregroundWindowGot 673 |
Jump to behavior |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Shutdown Service |
Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW8 |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp |
Binary or memory string: vmicshutdown |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039492404.0000000002CF0000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V PowerShell Direct Service |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Time Synchronization Service |
Source: ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp |
Binary or memory string: vmicvss |
Source: ieinstal.exe, 0000000F.00000002.5677340949.0000000002FC9000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW |
Source: ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=\Countysygej.exe\AgerhnsjagtfiSoftware\Microsoft\Windows\CurrentVersion\RunTanadarforureningshttps://onedrive.live.com/download?cid=7FA6B3539DFD0E74&resid=7FA6B3539DFD0E74%211122&authkey=AFlmPX3ms1Vu7IU |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039492404.0000000002CF0000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5681941208.0000000004970000.00000004.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Data Exchange Service |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Heartbeat Service |
Source: Hong Tak Engineering SB Payment Receipt 241121_PDF.exe, 00000003.00000002.1039593867.0000000003249000.00000004.00000001.sdmp, ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Service Interface |
Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAWVY |
Source: ieinstal.exe, 0000000F.00000002.5682267147.0000000004A49000.00000004.00000001.sdmp |
Binary or memory string: vmicheartbeat |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DEA2B mov eax, dword ptr fs:[00000030h] |
3_2_022DEA2B |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DC345 mov eax, dword ptr fs:[00000030h] |
3_2_022DC345 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022D9889 mov eax, dword ptr fs:[00000030h] |
3_2_022D9889 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DD108 mov eax, dword ptr fs:[00000030h] |
3_2_022DD108 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Code function: 3_2_022DAD16 LdrInitializeThunk, |
3_2_022DAD16 |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2CE0000 |
Jump to behavior |
Source: C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe |
Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\Hong Tak Engineering SB Payment Receipt 241121_PDF.exe" |
Jump to behavior |
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp |
Binary or memory string: Program Managers.net:6111E |
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp |
Binary or memory string: Program Managers.net:6111 |
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp, ieinstal.exe, 0000000F.00000002.5680749572.0000000003560000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp |
Binary or memory string: Program ManagerEM t8 |
Source: ieinstal.exe, 0000000F.00000002.5680749572.0000000003560000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp |
Binary or memory string: Program Manager1064_03 |
Source: ieinstal.exe, 0000000F.00000002.5680749572.0000000003560000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp |
Binary or memory string: Program ManagerModules.` |
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp |
Binary or memory string: Program ManagerEM |
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp |
Binary or memory string: Program ManagernsoleS5` |
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp |
Binary or memory string: Program Manageroca |
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp |
Binary or memory string: Program Manager\Users\<` |
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp |
Binary or memory string: Program Managers.net:61118 |
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp |
Binary or memory string: Program Managerpc |
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp |
Binary or memory string: Program Managers.net:6111U |
Source: ieinstal.exe, 0000000F.00000002.5680749572.0000000003560000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |
Source: ieinstal.exe, 0000000F.00000002.5676396416.0000000002F9D000.00000004.00000020.sdmp |
Binary or memory string: Program Managers.net: |
Source: ieinstal.exe, 0000000F.00000002.5674818296.0000000002F58000.00000004.00000020.sdmp, logs.dat.15.dr |
Binary or memory string: [Program Manager] |
Source: Yara match |
File source: 0000000F.00000002.5679272163.000000000302B000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ieinstal.exe PID: 5020, type: MEMORYSTR |
Source: Yara match |
File source: 0000000F.00000002.5679272163.000000000302B000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ieinstal.exe PID: 5020, type: MEMORYSTR |