Source: 00000002.00000002.410581088153.0000000002510000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://bgreenidaho.com/Crur/bin_TLiGMZYC180.bin"} |
Source: CI_PL_BL_ 4100675407_xls.exe |
ReversingLabs: Detection: 35% |
Source: CI_PL_BL_ 4100675407_xls.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://bgreenidaho.com/Crur/bin_TLiGMZYC180.bin |
Source: Joe Sandbox View |
ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49864 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49842 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49842 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49862 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49860 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49880 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49873 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49871 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49877 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49860 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49868 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49879 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49877 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49866 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49864 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49873 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49862 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49871 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49870 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49870 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49879 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49880 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49868 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49867 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49867 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49866 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.412331704432.000000000083C000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/ |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415190843867.0000000000871000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/- |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.412999941834.0000000000852000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415190634335.0000000000853000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/1e03818b-e8b8-45f4-bd74-707e0f15a35d |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.412331704432.000000000083C000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/3 |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415190634335.0000000000853000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/8-45f4-bd74-707e0f15a35d0 |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.414337489537.000000000083C000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.413334480795.000000000083C000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415190502650.000000000083C000.00000004.00000020.sdmp |
String found in binary or memory: https://bgreenidaho.com/Crur/bin_TLiGMZY6 |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.412331704432.000000000083C000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/Crur/bin_TLiGMZYC180.bin |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.412999941834.0000000000852000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.411329776637.0000000000853000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/Crur/bin_TLiGMZYC180.bin# |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415190502650.000000000083C000.00000004.00000020.sdmp |
String found in binary or memory: https://bgreenidaho.com/Crur/bin_TLiGMZYC180.binF |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.412999941834.0000000000852000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415190634335.0000000000853000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.411329776637.0000000000853000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.412331704432.000000000083C000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/Crur/bin_TLiGMZYC180.binJ |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415190634335.0000000000853000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/Crur/bin_TLiGMZYC180.binLMEMH |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415190634335.0000000000853000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/Crur/bin_TLiGMZYC180.bindvmbusRFCOMM |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.414337489537.000000000083C000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415190502650.000000000083C000.00000004.00000020.sdmp |
String found in binary or memory: https://bgreenidaho.com/Crur/bin_TLiGMZYC180.binn |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.412999941834.0000000000852000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.412331704432.000000000083C000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/Crur/bin_TLiGMZYC180.bins |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.412331704432.000000000083C000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/Crur/bin_TLiGMZYC180.binws |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415190843867.0000000000871000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/Hostbgre |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415190634335.0000000000853000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/N |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.412999941834.0000000000852000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415190634335.0000000000853000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.412331704432.000000000083C000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/R |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.411664281397.0000000000889000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/g |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.413334480795.000000000083C000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/n |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415190634335.0000000000853000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/nidaho.com/: |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.414337489537.000000000083C000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.413334480795.000000000083C000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415190502650.000000000083C000.00000004.00000020.sdmp |
String found in binary or memory: https://bgreenidaho.com/ocal |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.412999941834.0000000000852000.00000004.00000001.sdmp |
String found in binary or memory: https://bgreenidaho.com/v |
Source: unknown |
DNS traffic detected: queries for: bgreenidaho.com |
Source: CI_PL_BL_ 4100675407_xls.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000002.00000002.410579088809.0000000000423000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameTornf2.exe vs CI_PL_BL_ 4100675407_xls.exe |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000000.410573892705.0000000000423000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameTornf2.exe vs CI_PL_BL_ 4100675407_xls.exe |
Source: CI_PL_BL_ 4100675407_xls.exe |
Binary or memory string: OriginalFilenameTornf2.exe vs CI_PL_BL_ 4100675407_xls.exe |
Source: CI_PL_BL_ 4100675407_xls.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Section loaded: edgegdi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Section loaded: edgegdi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_025230D5 |
2_2_025230D5 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_02522949 |
2_2_02522949 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_0251C722 |
2_2_0251C722 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_0251CBBB |
2_2_0251CBBB |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_02521E5B |
2_2_02521E5B |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_0252186B |
2_2_0252186B |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_02523EFB |
2_2_02523EFB |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_025214FD |
2_2_025214FD |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_0251A749 |
2_2_0251A749 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_0251CF70 |
2_2_0251CF70 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_02510500 |
2_2_02510500 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_0251FF33 |
2_2_0251FF33 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_02520BDF |
2_2_02520BDF |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_025213B9 |
2_2_025213B9 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_02522949 NtWriteVirtualMemory,LoadLibraryA,NtProtectVirtualMemory, |
2_2_02522949 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_0251C722 NtWriteVirtualMemory,CreateFileA,LoadLibraryA, |
2_2_0251C722 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_0251CBBB NtWriteVirtualMemory,NtAllocateVirtualMemory,LoadLibraryA, |
2_2_0251CBBB |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_02523EFB NtWriteVirtualMemory, |
2_2_02523EFB |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_025214FD NtWriteVirtualMemory, |
2_2_025214FD |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_02510500 NtWriteVirtualMemory, |
2_2_02510500 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_02520BDF NtWriteVirtualMemory,LoadLibraryA, |
2_2_02520BDF |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Process Stats: CPU usage > 98% |
Source: CI_PL_BL_ 4100675407_xls.exe |
ReversingLabs: Detection: 35% |
Source: CI_PL_BL_ 4100675407_xls.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe "C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe" |
|
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Process created: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe "C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe" |
|
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Process created: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe "C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF3A963BF3568977ED.TMP |
Jump to behavior |
Source: classification engine |
Classification label: mal88.troj.evad.winEXE@3/1@1/1 |
Source: Yara match |
File source: 00000002.00000002.410581088153.0000000002510000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000009.00000000.410577418495.0000000000560000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_004074C8 push 713BC6CEh; iretd |
2_2_004074D6 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_00406CDB push esi; ret |
2_2_00406CDC |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_004095C1 push 74E4E9CEh; iretd |
2_2_004095C6 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_00407DA1 push E5AD70CEh; retf |
2_2_00407DA6 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_0040966A pushad ; iretd |
2_2_0040979D |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_00405E18 push eax; retf |
2_2_00405E19 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_00407A19 push ADDCA7CEh; iretd |
2_2_00407A1E |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_0040968D pushad ; iretd |
2_2_0040979D |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_02514E4E push es; iretd |
2_2_02514E4F |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_0251282C push FFFFFFABh; ret |
2_2_02512879 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_025154AB push cs; iretd |
2_2_025154F8 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_02516B55 push eax; iretd |
2_2_02516B9C |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_02516B58 push eax; iretd |
2_2_02516B9C |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_025127C7 push FFFFFFABh; ret |
2_2_02512879 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_02515396 push edi; ret |
2_2_02515397 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 9_2_00565431 push edx; iretd |
9_2_0056543E |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 9_2_00560B05 push ebp; ret |
9_2_00560B06 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415192208833.0000000002400000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://BGREENIDAHO.COM/CRUR/BIN_TLIGMZYC180.BIN |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000002.00000002.410579874074.00000000006B4000.00000004.00000020.sdmp |
Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE(LK |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000002.00000002.410579874074.00000000006B4000.00000004.00000020.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXETW |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000002.00000002.410581253187.0000000002530000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415192208833.0000000002400000.00000004.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000002.00000002.410581253187.0000000002530000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Last function: Thread delayed |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000002.00000002.410582792755.0000000003359000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415192346753.0000000002589000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Shutdown Service |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000002.00000002.410581253187.0000000002530000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000002.00000002.410582792755.0000000003359000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415192346753.0000000002589000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000002.00000002.410579874074.00000000006B4000.00000004.00000020.sdmp |
Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe(Lk |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415192346753.0000000002589000.00000004.00000001.sdmp |
Binary or memory string: vmicshutdown |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000002.00000002.410582792755.0000000003359000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415192346753.0000000002589000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000002.00000002.410582792755.0000000003359000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415192346753.0000000002589000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V PowerShell Direct Service |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000002.00000002.410582792755.0000000003359000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415192346753.0000000002589000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Time Synchronization Service |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415192346753.0000000002589000.00000004.00000001.sdmp |
Binary or memory string: vmicvss |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000002.00000002.410579874074.00000000006B4000.00000004.00000020.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exeTw |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.412999941834.0000000000852000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.411664281397.0000000000889000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.411330415050.0000000000889000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415191031458.0000000000889000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415190634335.0000000000853000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.411329776637.0000000000853000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.412331704432.000000000083C000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.411664281397.0000000000889000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000003.411330415050.0000000000889000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415191031458.0000000000889000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAWfY3 |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000002.00000002.410581253187.0000000002530000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415192208833.0000000002400000.00000004.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000002.00000002.410582792755.0000000003359000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415192346753.0000000002589000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Data Exchange Service |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415192208833.0000000002400000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://bgreenidaho.com/Crur/bin_TLiGMZYC180.bin |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000002.00000002.410582792755.0000000003359000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415192346753.0000000002589000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Heartbeat Service |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000002.00000002.410582792755.0000000003359000.00000004.00000001.sdmp, CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415192346753.0000000002589000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Service Interface |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415192346753.0000000002589000.00000004.00000001.sdmp |
Binary or memory string: vmicheartbeat |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_0252186B mov eax, dword ptr fs:[00000030h] |
2_2_0252186B |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_0251F77C mov eax, dword ptr fs:[00000030h] |
2_2_0251F77C |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_025201AD mov eax, dword ptr fs:[00000030h] |
2_2_025201AD |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_0251CA0C LdrInitializeThunk, |
2_2_0251CA0C |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Code function: 2_2_025230D5 RtlAddVectoredExceptionHandler, |
2_2_025230D5 |
Source: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe |
Process created: C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe "C:\Users\user\Desktop\CI_PL_BL_ 4100675407_xls.exe" |
Jump to behavior |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415191786426.0000000000FF1000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415191786426.0000000000FF1000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: CI_PL_BL_ 4100675407_xls.exe, 00000009.00000002.415191786426.0000000000FF1000.00000002.00020000.sdmp |
Binary or memory string: Program ManagerM |
Source: Initial file |
Signature Results: GuLoader behavior |