Source: 00000005.00000000.95166069748.0000000003000000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/downloa"} |
Source: 171121_PDF.exe |
Virustotal: Detection: 60% |
Perma Link |
Source: 171121_PDF.exe |
Metadefender: Detection: 17% |
Perma Link |
Source: 171121_PDF.exe |
ReversingLabs: Detection: 67% |
Source: Yara match |
File source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR |
Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe |
Avira: detection malicious, Label: TR/AD.Nekark.jinay |
Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe |
Virustotal: Detection: 60% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe |
Metadefender: Detection: 17% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe |
ReversingLabs: Detection: 67% |
Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe |
Joe Sandbox ML: detected |
Source: 2.0.171121_PDF.exe.400000.0.unpack |
Avira: Label: TR/AD.Nekark.jinay |
Source: 171121_PDF.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://onedrive.live.com/downloa |
Source: unknown |
DNS query: name: olufem.ddns.net |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp |
String found in binary or memory: https://d34m1w.bn.files.1drv.com/ |
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp |
String found in binary or memory: https://d34m1w.bn.files.1drv.com/# |
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp |
String found in binary or memory: https://d34m1w.bn.files.1drv.com/K |
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp |
String found in binary or memory: https://d34m1w.bn.files.1drv.com/e |
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp |
String found in binary or memory: https://d34m1w.bn.files.1drv.com/rer |
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp |
String found in binary or memory: https://d34m1w.bn.files.1drv.com/y# |
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000002.100061742275.0000000003475000.00000004.00000020.sdmp |
String found in binary or memory: https://d34m1w.bn.files.1drv.com/y4m7fxSf_SYygxFCqOTyBtDpLqPOYB60ldIfMGh_-vtFefb5neuOGhwPPxWnqgy8Dxz |
Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmp |
String found in binary or memory: https://d34m1w.bn.files.1drv.com/y4mlvrZnpVzkFAu500fuzSWuME5RflAMbugHHfl4crVqcejz3wapD4Rm6d4a3n06QKS |
Source: ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp |
String found in binary or memory: https://onedrive.live.com/ |
Source: ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp |
String found in binary or memory: https://onedrive.live.com/c |
Source: ieinstal.exe, 00000005.00000002.100061542449.000000000344D000.00000004.00000020.sdmp |
String found in binary or memory: https://onedrive.live.com/download?cid=176929A81F7E1249&resid=176929A81F7E1249%211217&authkey=ABMgMS |
Source: unknown |
DNS traffic detected: queries for: onedrive.live.com |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Windows user hook set: 0 keyboard low level C:\Program Files (x86)\internet explorer\ieinstal.exe |
Jump to behavior |
Source: Yara match |
File source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR |
Source: initial sample |
Static PE information: Filename: 171121_PDF.exe |
Source: 171121_PDF.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_00405A7F |
2_2_00405A7F |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0040721E |
2_2_0040721E |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_00406A36 |
2_2_00406A36 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_00405395 |
2_2_00405395 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_023684F7 |
2_2_023684F7 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02361A5F |
2_2_02361A5F |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236FB8E |
2_2_0236FB8E |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236CFC2 |
2_2_0236CFC2 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236330D |
2_2_0236330D |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236702D |
2_2_0236702D |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02367005 |
2_2_02367005 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236E629 |
2_2_0236E629 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236E665 |
2_2_0236E665 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236D66F |
2_2_0236D66F |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236D698 |
2_2_0236D698 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236E6F9 |
2_2_0236E6F9 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236E6CD |
2_2_0236E6CD |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236E734 |
2_2_0236E734 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236272C |
2_2_0236272C |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236D71E |
2_2_0236D71E |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236E76E |
2_2_0236E76E |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236D758 |
2_2_0236D758 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02369784 |
2_2_02369784 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_023647F1 |
2_2_023647F1 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02367463 |
2_2_02367463 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236E59E |
2_2_0236E59E |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236E5EC |
2_2_0236E5EC |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236DA30 |
2_2_0236DA30 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02360A5C |
2_2_02360A5C |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02364A41 |
2_2_02364A41 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02364A81 |
2_2_02364A81 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02364AE4 |
2_2_02364AE4 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02364B2E |
2_2_02364B2E |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02364BB4 |
2_2_02364BB4 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236DBC5 |
2_2_0236DBC5 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02364819 |
2_2_02364819 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236E819 |
2_2_0236E819 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236D855 |
2_2_0236D855 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236E844 |
2_2_0236E844 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236D89D |
2_2_0236D89D |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_023648DD |
2_2_023648DD |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236D989 |
2_2_0236D989 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236D9D1 |
2_2_0236D9D1 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236CFED |
2_2_0236CFED |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02366FD9 |
2_2_02366FD9 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02364C32 |
2_2_02364C32 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02361DBE |
2_2_02361DBE |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 5_2_030103D9 |
5_2_030103D9 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236F695 NtProtectVirtualMemory, |
2_2_0236F695 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236CFC2 NtAllocateVirtualMemory, |
2_2_0236CFC2 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236D210 NtAllocateVirtualMemory, |
2_2_0236D210 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236D295 NtAllocateVirtualMemory, |
2_2_0236D295 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236D2E0 NtAllocateVirtualMemory, |
2_2_0236D2E0 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236D311 NtAllocateVirtualMemory, |
2_2_0236D311 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236D046 NtAllocateVirtualMemory, |
2_2_0236D046 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236D0E6 NtAllocateVirtualMemory, |
2_2_0236D0E6 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236D0D1 NtAllocateVirtualMemory, |
2_2_0236D0D1 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236D13C NtAllocateVirtualMemory, |
2_2_0236D13C |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02368A05 NtWriteVirtualMemory, |
2_2_02368A05 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236CFED NtAllocateVirtualMemory, |
2_2_0236CFED |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 5_2_03010951 Sleep,NtProtectVirtualMemory, |
5_2_03010951 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 5_2_03010A64 NtProtectVirtualMemory, |
5_2_03010A64 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Code function: 5_2_03010A5D NtProtectVirtualMemory, |
5_2_03010A5D |
Source: 171121_PDF.exe, 00000002.00000000.95004111933.0000000000419000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameBrugstyveriscortic.exe vs 171121_PDF.exe |
Source: 171121_PDF.exe |
Binary or memory string: OriginalFilenameBrugstyveriscortic.exe vs 171121_PDF.exe |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Section loaded: edgegdi.dll |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Section loaded: edgegdi.dll |
Jump to behavior |
Source: 171121_PDF.exe |
Static PE information: invalid certificate |
Source: 171121_PDF.exe |
Virustotal: Detection: 60% |
Source: 171121_PDF.exe |
Metadefender: Detection: 17% |
Source: 171121_PDF.exe |
ReversingLabs: Detection: 67% |
Source: 171121_PDF.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\171121_PDF.exe "C:\Users\user\Desktop\171121_PDF.exe" |
|
Source: C:\Users\user\Desktop\171121_PDF.exe |
Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" |
|
Source: C:\Users\user\Desktop\171121_PDF.exe |
Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" |
|
Source: C:\Users\user\Desktop\171121_PDF.exe |
Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
File created: C:\Users\user\AppData\Roaming\wifitskl |
Jump to behavior |
Source: C:\Users\user\Desktop\171121_PDF.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFFFD65EAE6BEE96C9.TMP |
Jump to behavior |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winEXE@5/3@10/1 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Mutant created: \Sessions\1\BaseNamedObjects\audiotsk-RA5QGA |
Source: Yara match |
File source: 00000005.00000000.95166069748.0000000003000000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_00405241 pushfd ; retf |
2_2_00405242 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_00405A57 push 0000004Bh; retf |
2_2_00405A7B |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_00408858 push 00000018h; ret |
2_2_0040885A |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0040A864 push esi; iretd |
2_2_0040A865 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_00405A7F push ebx; ret |
2_2_00405B0D |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_00406A27 push es; iretd |
2_2_00406A35 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_00405AD4 push ebx; ret |
2_2_00405B0D |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_00405CFE push 18FEA023h; retf |
2_2_00405D16 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_004086A1 push edx; iretd |
2_2_004086AE |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236816B push ss; iretd |
2_2_023681C4 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_023681D4 push ss; iretd |
2_2_023681C4 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236564B push ebp; iretd |
2_2_0236564C |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236A7C6 push ecx; ret |
2_2_0236A7DA |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02361834 push es; retf |
2_2_0236183A |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02362EF5 push ebp; iretd |
2_2_02362F47 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02360F16 push edx; ret |
2_2_02360F31 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_02362F48 pushad ; iretd |
2_2_02362F57 |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
File created: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe |
Jump to dropped file |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2 |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2 |
Jump to behavior |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\171121_PDF.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\171121_PDF.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLLPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL |
Source: 171121_PDF.exe, 00000002.00000002.95421592094.00000000005B4000.00000004.00000020.sdmp, 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: 171121_PDF.exe, 00000002.00000002.95421500993.000000000059D000.00000004.00000020.sdmp |
Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=\VAGABO.EXE\CUSCONINESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSKUFFEJERNENESCO2HTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=176929A81F7E1249&RESID=176929A81F7E1249%211217&AUTHKEY=ABMGMSTXNC_3PVK |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 996 |
Thread sleep count: 9108 > 30 |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 996 |
Thread sleep time: -45540s >= -30000s |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Thread sleep count: Count: 9108 delay: -5 |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Window / User API: threadDelayed 9108 |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Window / User API: foregroundWindowGot 673 |
Jump to behavior |
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Shutdown Service |
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp |
Binary or memory string: vmicshutdown |
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=\vagabo.exe\CUSCONINESoftware\Microsoft\Windows\CurrentVersion\RunSkuffejernenesco2https://onedrive.live.com/download?cid=176929A81F7E1249&resid=176929A81F7E1249%211217&authkey=ABMgMSTxNC_3pVk |
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V PowerShell Direct Service |
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Time Synchronization Service |
Source: ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp |
Binary or memory string: vmicvss |
Source: ieinstal.exe, 00000005.00000002.100061775312.000000000347A000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW |
Source: ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW( |
Source: 171121_PDF.exe, 00000002.00000002.95421592094.00000000005B4000.00000004.00000020.sdmp, 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Data Exchange Service |
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Heartbeat Service |
Source: 171121_PDF.exe, 00000002.00000002.95421500993.000000000059D000.00000004.00000020.sdmp |
Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Service Interface |
Source: 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dllProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll |
Source: ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmp |
Binary or memory string: vmicheartbeat |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_023696BF mov eax, dword ptr fs:[00000030h] |
2_2_023696BF |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236E59E mov eax, dword ptr fs:[00000030h] |
2_2_0236E59E |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236C982 mov eax, dword ptr fs:[00000030h] |
2_2_0236C982 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236BEA2 mov eax, dword ptr fs:[00000030h] |
2_2_0236BEA2 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236AB06 LdrInitializeThunk, |
2_2_0236AB06 |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Code function: 2_2_0236FB8E RtlAddVectoredExceptionHandler, |
2_2_0236FB8E |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3000000 |
Jump to behavior |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\171121_PDF.exe |
Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe" |
Jump to behavior |
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp |
Binary or memory string: Program Managers.net:6110 |
Source: ieinstal.exe, 00000005.00000002.100062544413.0000000003A11000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: ieinstal.exe, 00000005.00000002.100062544413.0000000003A11000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp |
Binary or memory string: Program Manager:\Users |
Source: ieinstal.exe, 00000005.00000002.100062544413.0000000003A11000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp |
Binary or memory string: Program ManagerEM |
Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp, logs.dat.5.dr |
Binary or memory string: [ Program Manager ] |
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp |
Binary or memory string: Program Managers.net: |
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp |
Binary or memory string: Program Managers.net:6110? |
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp |
Binary or memory string: Program ManagerEM d |
Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmp |
Binary or memory string: Program ManagerEM D |
Source: Yara match |
File source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR |
Source: Yara match |
File source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR |