Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
171121_PDF.exe

Overview

General Information

Sample Name:171121_PDF.exe
Analysis ID:558240
MD5:60d8b8589ba8045361ae148ee76c7582
SHA1:328a778d026ad6611bb295bf3a799b6499fc7c7c
SHA256:8f34d0008f07a4460c9ebc5a8d8a558a85979bd0112962eddf9506dc5b627989
Infos:

Detection

GuLoader Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Installs a global keyboard hook
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses dynamic DNS services
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64native
  • 171121_PDF.exe (PID: 4656 cmdline: "C:\Users\user\Desktop\171121_PDF.exe" MD5: 60D8B8589BA8045361AE148EE76C7582)
    • ieinstal.exe (PID: 6972 cmdline: "C:\Users\user\Desktop\171121_PDF.exe" MD5: 7871873BABCEA94FBA13900B561C7C55)
    • ieinstal.exe (PID: 7000 cmdline: "C:\Users\user\Desktop\171121_PDF.exe" MD5: 7871873BABCEA94FBA13900B561C7C55)
  • cleanup
{"Payload URL": "https://onedrive.live.com/downloa"}
SourceRuleDescriptionAuthorStrings
00000005.00000000.95166069748.0000000003000000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: ieinstal.exe PID: 7000JoeSecurity_RemcosYara detected Remcos RATJoe Security
          No Sigma rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: 00000005.00000000.95166069748.0000000003000000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/downloa"}
          Source: 171121_PDF.exeVirustotal: Detection: 60%Perma Link
          Source: 171121_PDF.exeMetadefender: Detection: 17%Perma Link
          Source: 171121_PDF.exeReversingLabs: Detection: 67%
          Source: Yara matchFile source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR
          Source: 171121_PDF.exeAvira: detected
          Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exeAvira: detection malicious, Label: TR/AD.Nekark.jinay
          Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exeVirustotal: Detection: 60%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exeMetadefender: Detection: 17%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exeReversingLabs: Detection: 67%
          Source: 171121_PDF.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exeJoe Sandbox ML: detected
          Source: 2.0.171121_PDF.exe.400000.0.unpackAvira: Label: TR/AD.Nekark.jinay
          Source: 171121_PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

          Networking

          barindex
          Source: Malware configuration extractorURLs: https://onedrive.live.com/downloa
          Source: unknownDNS query: name: olufem.ddns.net
          Source: Joe Sandbox ViewASN Name: M247GB M247GB
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmpString found in binary or memory: https://d34m1w.bn.files.1drv.com/
          Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmpString found in binary or memory: https://d34m1w.bn.files.1drv.com/#
          Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmpString found in binary or memory: https://d34m1w.bn.files.1drv.com/K
          Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmpString found in binary or memory: https://d34m1w.bn.files.1drv.com/e
          Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmpString found in binary or memory: https://d34m1w.bn.files.1drv.com/rer
          Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmpString found in binary or memory: https://d34m1w.bn.files.1drv.com/y#
          Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000002.100061742275.0000000003475000.00000004.00000020.sdmpString found in binary or memory: https://d34m1w.bn.files.1drv.com/y4m7fxSf_SYygxFCqOTyBtDpLqPOYB60ldIfMGh_-vtFefb5neuOGhwPPxWnqgy8Dxz
          Source: ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmpString found in binary or memory: https://d34m1w.bn.files.1drv.com/y4mlvrZnpVzkFAu500fuzSWuME5RflAMbugHHfl4crVqcejz3wapD4Rm6d4a3n06QKS
          Source: ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
          Source: ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/c
          Source: ieinstal.exe, 00000005.00000002.100061542449.000000000344D000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=176929A81F7E1249&resid=176929A81F7E1249%211217&authkey=ABMgMS
          Source: unknownDNS traffic detected: queries for: onedrive.live.com

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\internet explorer\ieinstal.exe

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR

          System Summary

          barindex
          Source: initial sampleStatic PE information: Filename: 171121_PDF.exe
          Source: 171121_PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_00405A7F
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0040721E
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_00406A36
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_00405395
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_023684F7
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02361A5F
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236FB8E
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236CFC2
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236330D
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236702D
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02367005
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236E629
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236E665
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236D66F
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236D698
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236E6F9
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236E6CD
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236E734
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236272C
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236D71E
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236E76E
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236D758
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02369784
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_023647F1
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02367463
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236E59E
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236E5EC
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236DA30
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02360A5C
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02364A41
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02364A81
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02364AE4
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02364B2E
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02364BB4
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236DBC5
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02364819
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236E819
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236D855
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236E844
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236D89D
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_023648DD
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236D989
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236D9D1
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236CFED
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02366FD9
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02364C32
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02361DBE
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_030103D9
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236F695 NtProtectVirtualMemory,
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236CFC2 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236D210 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236D295 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236D2E0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236D311 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236D046 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236D0E6 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236D0D1 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236D13C NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02368A05 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236CFED NtAllocateVirtualMemory,
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_03010951 Sleep,NtProtectVirtualMemory,
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_03010A64 NtProtectVirtualMemory,
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_03010A5D NtProtectVirtualMemory,
          Source: 171121_PDF.exe, 00000002.00000000.95004111933.0000000000419000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBrugstyveriscortic.exe vs 171121_PDF.exe
          Source: 171121_PDF.exeBinary or memory string: OriginalFilenameBrugstyveriscortic.exe vs 171121_PDF.exe
          Source: C:\Users\user\Desktop\171121_PDF.exeSection loaded: edgegdi.dll
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeSection loaded: edgegdi.dll
          Source: 171121_PDF.exeStatic PE information: invalid certificate
          Source: 171121_PDF.exeVirustotal: Detection: 60%
          Source: 171121_PDF.exeMetadefender: Detection: 17%
          Source: 171121_PDF.exeReversingLabs: Detection: 67%
          Source: 171121_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\171121_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\171121_PDF.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
          Source: unknownProcess created: C:\Users\user\Desktop\171121_PDF.exe "C:\Users\user\Desktop\171121_PDF.exe"
          Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
          Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
          Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
          Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Roaming\wifitsklJump to behavior
          Source: C:\Users\user\Desktop\171121_PDF.exeFile created: C:\Users\user\AppData\Local\Temp\~DFFFD65EAE6BEE96C9.TMPJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/3@10/1
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeMutant created: \Sessions\1\BaseNamedObjects\audiotsk-RA5QGA

          Data Obfuscation

          barindex
          Source: Yara matchFile source: 00000005.00000000.95166069748.0000000003000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_00405241 pushfd ; retf
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_00405A57 push 0000004Bh; retf
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_00408858 push 00000018h; ret
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0040A864 push esi; iretd
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_00405A7F push ebx; ret
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_00406A27 push es; iretd
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_00405AD4 push ebx; ret
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_00405CFE push 18FEA023h; retf
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_004086A1 push edx; iretd
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236816B push ss; iretd
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_023681D4 push ss; iretd
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236564B push ebp; iretd
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236A7C6 push ecx; ret
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02361834 push es; retf
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02362EF5 push ebp; iretd
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02360F16 push edx; ret
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_02362F48 pushad ; iretd
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile created: C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exeJump to dropped file
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2Jump to behavior
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2Jump to behavior
          Source: C:\Users\user\Desktop\171121_PDF.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Source: C:\Users\user\Desktop\171121_PDF.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Users\user\Desktop\171121_PDF.exeFile opened: C:\Program Files\qga\qga.exe
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile opened: C:\Program Files\qga\qga.exe
          Source: 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLLPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
          Source: 171121_PDF.exe, 00000002.00000002.95421592094.00000000005B4000.00000004.00000020.sdmp, 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
          Source: 171121_PDF.exe, 00000002.00000002.95421500993.000000000059D000.00000004.00000020.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
          Source: ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/91.0.4472.124 SAFARI/537.36SHELL32ADVAPI32TEMP=\VAGABO.EXE\CUSCONINESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSKUFFEJERNENESCO2HTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=176929A81F7E1249&RESID=176929A81F7E1249%211217&AUTHKEY=ABMGMSTXNC_3PVK
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 996Thread sleep count: 9108 > 30
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 996Thread sleep time: -45540s >= -30000s
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread sleep count: Count: 9108 delay: -5
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_023640AA rdtsc
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeWindow / User API: threadDelayed 9108
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeWindow / User API: foregroundWindowGot 673
          Source: C:\Users\user\Desktop\171121_PDF.exeSystem information queried: ModuleInformation
          Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
          Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
          Source: ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
          Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
          Source: ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=\vagabo.exe\CUSCONINESoftware\Microsoft\Windows\CurrentVersion\RunSkuffejernenesco2https://onedrive.live.com/download?cid=176929A81F7E1249&resid=176929A81F7E1249%211217&authkey=ABMgMSTxNC_3pVk
          Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
          Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
          Source: ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmpBinary or memory string: vmicvss
          Source: ieinstal.exe, 00000005.00000002.100061775312.000000000347A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW(
          Source: 171121_PDF.exe, 00000002.00000002.95421592094.00000000005B4000.00000004.00000020.sdmp, 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100061142965.0000000003360000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
          Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
          Source: 171121_PDF.exe, 00000002.00000002.95421500993.000000000059D000.00000004.00000020.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: 171121_PDF.exe, 00000002.00000002.95424075371.0000000003A79000.00000004.00000001.sdmp, ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
          Source: 171121_PDF.exe, 00000002.00000002.95423993948.00000000039B0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36shell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dllProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
          Source: ieinstal.exe, 00000005.00000002.100063059781.0000000004E69000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat

          Anti Debugging

          barindex
          Source: C:\Users\user\Desktop\171121_PDF.exeThread information set: HideFromDebugger
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_023640AA rdtsc
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_023696BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236E59E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236C982 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236BEA2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\171121_PDF.exeProcess queried: DebugPort
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236AB06 LdrInitializeThunk,
          Source: C:\Users\user\Desktop\171121_PDF.exeCode function: 2_2_0236FB8E RtlAddVectoredExceptionHandler,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Users\user\Desktop\171121_PDF.exeMemory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 3000000
          Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
          Source: C:\Users\user\Desktop\171121_PDF.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Users\user\Desktop\171121_PDF.exe"
          Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmpBinary or memory string: Program Managers.net:6110
          Source: ieinstal.exe, 00000005.00000002.100062544413.0000000003A11000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: ieinstal.exe, 00000005.00000002.100062544413.0000000003A11000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmpBinary or memory string: Program Manager:\Users
          Source: ieinstal.exe, 00000005.00000002.100062544413.0000000003A11000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmpBinary or memory string: Program ManagerEM
          Source: ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmp, logs.dat.5.drBinary or memory string: [ Program Manager ]
          Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmpBinary or memory string: Program Managers.net:
          Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmpBinary or memory string: Program Managers.net:6110?
          Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmpBinary or memory string: Program ManagerEM d
          Source: ieinstal.exe, 00000005.00000002.100061641127.0000000003461000.00000004.00000020.sdmpBinary or memory string: Program ManagerEM D

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ieinstal.exe PID: 7000, type: MEMORYSTR
          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1
          Registry Run Keys / Startup Folder
          112
          Process Injection
          1
          Masquerading
          11
          Input Capture
          421
          Security Software Discovery
          Remote Services11
          Input Capture
          Exfiltration Over Other Network Medium1
          Encrypted Channel
          Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1
          DLL Side-Loading
          1
          Registry Run Keys / Startup Folder
          23
          Virtualization/Sandbox Evasion
          LSASS Memory23
          Virtualization/Sandbox Evasion
          Remote Desktop Protocol1
          Archive Collected Data
          Exfiltration Over Bluetooth1
          Non-Application Layer Protocol
          Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)1
          DLL Side-Loading
          112
          Process Injection
          Security Account Manager1
          Process Discovery
          SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration21
          Application Layer Protocol
          Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Obfuscated Files or Information
          NTDS1
          Application Window Discovery
          Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Software Packing
          LSA Secrets2
          System Information Discovery
          SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          DLL Side-Loading
          Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          171121_PDF.exe60%VirustotalBrowse
          171121_PDF.exe17%MetadefenderBrowse
          171121_PDF.exe68%ReversingLabsWin32.Trojan.Shelsy
          171121_PDF.exe100%AviraTR/AD.Nekark.jinay
          171121_PDF.exe100%Joe Sandbox ML
          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe100%AviraTR/AD.Nekark.jinay
          C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe60%VirustotalBrowse
          C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe17%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe68%ReversingLabsWin32.Trojan.Shelsy
          SourceDetectionScannerLabelLinkDownload
          2.2.171121_PDF.exe.400000.0.unpack100%AviraHEUR/AGEN.1107800Download File
          2.0.171121_PDF.exe.400000.0.unpack100%AviraTR/AD.Nekark.jinayDownload File
          SourceDetectionScannerLabelLink
          olufem.ddns.net3%VirustotalBrowse
          No Antivirus matches
          NameIPActiveMaliciousAntivirus DetectionReputation
          olufem.ddns.net
          172.111.251.34
          truetrueunknown
          onedrive.live.com
          unknown
          unknownfalse
            high
            d34m1w.bn.files.1drv.com
            unknown
            unknownfalse
              high
              NameMaliciousAntivirus DetectionReputation
              https://onedrive.live.com/downloafalse
                high
                NameSourceMaliciousAntivirus DetectionReputation
                https://d34m1w.bn.files.1drv.com/Kieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmpfalse
                  high
                  https://onedrive.live.com/cieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmpfalse
                    high
                    https://d34m1w.bn.files.1drv.com/y#ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmpfalse
                      high
                      https://d34m1w.bn.files.1drv.com/y4m7fxSf_SYygxFCqOTyBtDpLqPOYB60ldIfMGh_-vtFefb5neuOGhwPPxWnqgy8Dxzieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, ieinstal.exe, 00000005.00000002.100061742275.0000000003475000.00000004.00000020.sdmpfalse
                        high
                        https://d34m1w.bn.files.1drv.com/eieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmpfalse
                          high
                          https://onedrive.live.com/download?cid=176929A81F7E1249&resid=176929A81F7E1249%211217&authkey=ABMgMSieinstal.exe, 00000005.00000002.100061542449.000000000344D000.00000004.00000020.sdmpfalse
                            high
                            https://d34m1w.bn.files.1drv.com/#ieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmpfalse
                              high
                              https://d34m1w.bn.files.1drv.com/y4mlvrZnpVzkFAu500fuzSWuME5RflAMbugHHfl4crVqcejz3wapD4Rm6d4a3n06QKSieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmpfalse
                                high
                                https://d34m1w.bn.files.1drv.com/rerieinstal.exe, 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmpfalse
                                  high
                                  https://onedrive.live.com/ieinstal.exe, 00000005.00000002.100061248342.0000000003407000.00000004.00000020.sdmpfalse
                                    high
                                    https://d34m1w.bn.files.1drv.com/ieinstal.exe, 00000005.00000003.95357909682.0000000003487000.00000004.00000001.sdmpfalse
                                      high
                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs
                                      IPDomainCountryFlagASNASN NameMalicious
                                      172.111.251.34
                                      olufem.ddns.netUnited States
                                      9009M247GBtrue
                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                      Analysis ID:558240
                                      Start date:23.01.2022
                                      Start time:06:48:48
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 12m 15s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:171121_PDF.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                      Run name:Suspected Instruction Hammering
                                      Number of analysed new started processes analysed:14
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@5/3@10/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HDC Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 74%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe
                                      • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe
                                      • TCP Packets have been reduced to 100
                                      • Excluded IPs from analysis (whitelisted): 20.82.19.171, 20.54.122.82, 13.107.42.13, 13.107.42.12
                                      • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, client.wns.windows.com, bn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-web-geo.onedrive.akadns.net, odc-bn-files-brs.onedrive.akadns.net, ctldl.windowsupdate.com, wdcp.microsoft.com, arc.msn.com, wd-prod-cp.trafficmanager.net, odc-bn-files-geo.onedrive.akadns.net, ris.api.iris.microsoft.com, wd-prod-cp-eu-north-1-fe.northeurope.cloudapp.azure.com, l-0004.l-msedge.net, wdcpalt.microsoft.com, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, wd-prod-cp-eu-west-2-fe.westeurope.cloudapp.azure.com, img-prod-cms-rt-microsoft-com.akamaized.net
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      TimeTypeDescription
                                      06:51:16AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2 C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe
                                      06:51:24AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Skuffejernenesco2 C:\Users\user\AppData\Local\Temp\CUSCONINE\vagabo.exe
                                      No context
                                      No context
                                      No context
                                      No context
                                      No context
                                      Process:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):112464
                                      Entropy (8bit):6.100488610521297
                                      Encrypted:false
                                      SSDEEP:1536:OPtG0c3vhsblLAvTIpS1HP9CGZG48TdiwOeQqn4kFgGYglLg:X1JsblLAvI+FW48QwOen4Hi8
                                      MD5:60D8B8589BA8045361AE148EE76C7582
                                      SHA1:328A778D026AD6611BB295BF3A799B6499FC7C7C
                                      SHA-256:8F34D0008F07A4460C9EBC5A8D8A558A85979BD0112962EDDF9506DC5B627989
                                      SHA-512:6D7AB39A3367D72D70E0CF8AF182FDF7B20100BE1159465CEBF5603C06BD485FFD0B5ACEE687AD029C1205C1CDADFBFE10002451B484CDE1746ED2C8814F58E7
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: Virustotal, Detection: 60%, Browse
                                      • Antivirus: Metadefender, Detection: 17%, Browse
                                      • Antivirus: ReversingLabs, Detection: 68%
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................._.................Rich...........................PE..L....~.N.................`...P...............p....@..........................................................................m..(........+..............P...................................................8... ....................................text...._.......`.................. ..`.data........p.......p..............@....rsrc....+.......0..................@..@..^............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\Desktop\171121_PDF.exe
                                      File Type:Composite Document File V2 Document, Cannot read section info
                                      Category:dropped
                                      Size (bytes):16384
                                      Entropy (8bit):0.623084520004525
                                      Encrypted:false
                                      SSDEEP:12:rl3lKFQCb776fGZHbYS6TS63TXlYdl7HtllGXPuK9iUmTc:rbQylDVYdtNllG/uw7
                                      MD5:23BC92D1C5A3C3698C8524B7CEB3F5D9
                                      SHA1:199D2660FEA3F7310397A37A8C7C600E7A26D461
                                      SHA-256:5A6730EB0987730B214A46DC814FE2071576A338B2210DECE2780AC6E3B45DD7
                                      SHA-512:6FA7CAB689912B93C312D35E0E0F218E6138A3BCB8BC1B31CF0F80E4795C079F8589B879CCAC55C14262C710D4772A4067CCA4ED7890AED678EC988D113227DD
                                      Malicious:false
                                      Reputation:low
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):228
                                      Entropy (8bit):3.324676875990576
                                      Encrypted:false
                                      SSDEEP:3:rnls2PltX6cl5JWRal2Jl+7R0DAlBG4LNQblovDl9iGLilXIkl+Rf3zNQblovDlw:aiUU5YcIeeDAlybW/Ne5IRfebW/G
                                      MD5:4E974FEC547CB42D02EBEF1C4F168E6E
                                      SHA1:26C86768D963521FBB151F247A117B9C0EB1EBEA
                                      SHA-256:8A7CCD77EF7FE3C4C467A8A7F0BF4153058E5A60E4F9B54A5C4E52BCBAD5B155
                                      SHA-512:32CDE6BB8AA11BDA151BE95FA4B15CB618461CB9ECB3AB36DB5D7574BA8DCCA1C7BFCCA8705C7E0E58847DD88F4D2A9405A692782FB344E896B6EB05495801EB
                                      Malicious:false
                                      Reputation:low
                                      Preview:....[.2.0.2.2./.0.1./.2.3. .0.6.:.5.1.:.2.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].....[.W.i.n.].r.....[. .R.u.n. .].........[. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r. .].....
                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):6.100488610521297
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.15%
                                      • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:171121_PDF.exe
                                      File size:112464
                                      MD5:60d8b8589ba8045361ae148ee76c7582
                                      SHA1:328a778d026ad6611bb295bf3a799b6499fc7c7c
                                      SHA256:8f34d0008f07a4460c9ebc5a8d8a558a85979bd0112962eddf9506dc5b627989
                                      SHA512:6d7ab39a3367d72d70e0cf8af182fdf7b20100be1159465cebf5603c06bd485ffd0b5acee687ad029c1205c1cdadfbfe10002451b484cde1746ed2c8814f58e7
                                      SSDEEP:1536:OPtG0c3vhsblLAvTIpS1HP9CGZG48TdiwOeQqn4kFgGYglLg:X1JsblLAvI+FW48QwOen4Hi8
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................._.......................Rich............................PE..L....~.N.................`...P...............p....@
                                      Icon Hash:f2c2c29190d2c783
                                      Entrypoint:0x401194
                                      Entrypoint Section:.text
                                      Digitally signed:true
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                      DLL Characteristics:
                                      Time Stamp:0x4ED97EE6 [Sat Dec 3 01:44:06 2011 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:fca27436e553ec62bb2d0905390fd4e6
                                      Signature Valid:false
                                      Signature Issuer:E=Bibaciousnessmnten3@Pinjerforhaa.Non, CN=Vrdiheftesgalets, OU=Formationsskridt, O=ptychoptery, L=Retrickedtrbesk, S=Linoxininvectivel5, C=LV
                                      Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                      Error Number:-2146762487
                                      Not Before, Not After
                                      • 17/11/2021 03:35:05 17/11/2022 03:35:05
                                      Subject Chain
                                      • E=Bibaciousnessmnten3@Pinjerforhaa.Non, CN=Vrdiheftesgalets, OU=Formationsskridt, O=ptychoptery, L=Retrickedtrbesk, S=Linoxininvectivel5, C=LV
                                      Version:3
                                      Thumbprint MD5:81C291A64F4EEAD3EB815B820975A11F
                                      Thumbprint SHA-1:3B9FB2B3310D80BB215D1F0A8A1B4C5CE397126F
                                      Thumbprint SHA-256:6E26EF48D70BCD9763606EA3E88539664649D7701B6F561892E318BB4DB04839
                                      Serial:00
                                      Instruction
                                      push 00401A0Ch
                                      call 00007F9E9C9E4E03h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      xor byte ptr [eax], al
                                      add byte ptr [eax], al
                                      inc eax
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [ecx+58h], al
                                      push FFFFFFBFh
                                      fadd st(0), st(7)
                                      int1
                                      dec edi
                                      movsb
                                      jmp 00007F9E9C9E4E20h
                                      sbb al, 8Eh
                                      scasd
                                      inc edx
                                      aas
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add dword ptr [eax], eax
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      loopne 00007F9E9C9E4DD8h
                                      or dword ptr [ebx], eax
                                      jnc 00007F9E9C9E4E87h
                                      bound ebp, dword ptr [edi+72h]
                                      imul ebp, dword ptr fs:[esi+00h], 20004108h
                                      or byte ptr [ecx+00h], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      dec esp
                                      xor dword ptr [eax], eax
                                      add dword ptr [edi+ebx*8-316D0720h], ecx
                                      xor eax, 8026BB49h
                                      nop
                                      dec edx
                                      and eax, 87C64A41h
                                      out E9h, al
                                      cmpsd
                                      pop eax
                                      rol dword ptr [edi-7Dh], 1
                                      arpl word ptr [ebx+7Ah], dx
                                      arpl word ptr [edx], cx
                                      pop ss
                                      and byte ptr [edx], bh
                                      dec edi
                                      lodsd
                                      xor ebx, dword ptr [ecx-48EE309Ah]
                                      or al, 00h
                                      stosb
                                      add byte ptr [eax-2Dh], ah
                                      xchg eax, ebx
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      je 00007F9E9C9E4E15h
                                      add byte ptr [eax], al
                                      push ebx
                                      add eax, dword ptr [eax]
                                      add byte ptr [eax], al
                                      push cs
                                      add byte ptr [esi+4Fh], al
                                      inc esp
                                      inc ebp
                                      push edx
                                      inc ecx
                                      dec esp
                                      inc ebp
                                      push edx
                                      push ebx
                                      dec eax
                                      pop ecx
                                      inc esp
                                      push edx
                                      add byte ptr [42000701h], cl
                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x16d140x28.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x2bca.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x1b0000x750.rsrc
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x20
                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000x90.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x15ffc0x16000False0.495827414773data6.39269902756IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .data0x170000x17f80x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                      .rsrc0x190000x2bca0x3000False0.236735026042data3.87641922123IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      NameRVASizeTypeLanguageCountry
                                      SET0x197240x24a6MS Windows icon resource - 3 icons, 24x24, 16 colors, 4 bits/pixel, 24x24, 8 bits/pixelEnglishUnited States
                                      RT_ICON0x1943c0x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4152326007, next used block 7370615
                                      RT_GROUP_ICON0x194280x14data
                                      RT_VERSION0x191400x2e8dataEnglishUnited States
                                      DLLImport
                                      MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarSetVar, __vbaLateMemCallLd, _CIatan, __vbaR8IntI4, _allmul, _CItan, _CIexp, __vbaFreeObj
                                      DescriptionData
                                      Translation0x0409 0x04b0
                                      LegalCopyrightART
                                      InternalNameBrugstyveriscortic
                                      FileVersion1.00
                                      CompanyNameART
                                      LegalTrademarksART
                                      CommentsART
                                      ProductNameART
                                      ProductVersion1.00
                                      FileDescriptionClassic ART
                                      OriginalFilenameBrugstyveriscortic.exe
                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States
                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      01/23/22-06:51:20.532714UDP254DNS SPOOF query response with TTL of 1 min. and no authority53554291.1.1.1192.168.11.20
                                      01/23/22-06:52:21.635352UDP254DNS SPOOF query response with TTL of 1 min. and no authority53532331.1.1.1192.168.11.20
                                      01/23/22-06:53:22.622846UDP254DNS SPOOF query response with TTL of 1 min. and no authority53494261.1.1.1192.168.11.20
                                      01/23/22-06:54:24.546109UDP254DNS SPOOF query response with TTL of 1 min. and no authority53531111.1.1.1192.168.11.20
                                      01/23/22-06:55:27.156616UDP254DNS SPOOF query response with TTL of 1 min. and no authority53583281.1.1.1192.168.11.20
                                      01/23/22-06:56:29.782953UDP254DNS SPOOF query response with TTL of 1 min. and no authority53495511.1.1.1192.168.11.20
                                      01/23/22-06:57:30.160630UDP254DNS SPOOF query response with TTL of 1 min. and no authority53560881.1.1.1192.168.11.20
                                      01/23/22-06:58:37.645977UDP254DNS SPOOF query response with TTL of 1 min. and no authority53492081.1.1.1192.168.11.20
                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 23, 2022 06:51:20.533876896 CET498016110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:20.703293085 CET611049801172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:21.213707924 CET498016110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:21.383318901 CET611049801172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:21.885405064 CET498016110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:22.051764965 CET611049801172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:22.557038069 CET498016110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:22.731542110 CET611049801172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:23.244467974 CET498016110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:23.417984962 CET611049801172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:24.441565990 CET498026110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:24.608980894 CET611049802172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:25.119052887 CET498026110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:25.303689957 CET611049802172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:25.806296110 CET498026110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:26.020940065 CET611049802172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:26.524879932 CET498026110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:26.728079081 CET611049802172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:27.243567944 CET498026110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:27.408804893 CET611049802172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:28.418706894 CET498056110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:28.582556009 CET611049805172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:29.086854935 CET498056110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:29.250814915 CET611049805172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:29.758615971 CET498056110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:29.926840067 CET611049805172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:30.430270910 CET498056110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:30.594449997 CET611049805172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:31.102112055 CET498056110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:31.266598940 CET611049805172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:32.277121067 CET498076110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:32.444715023 CET611049807172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:32.945451021 CET498076110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:34.009474993 CET611049807172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:34.523053885 CET498076110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:34.693078995 CET611049807172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:35.195008993 CET498076110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:35.362740040 CET611049807172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:35.866545916 CET498076110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:36.035017014 CET611049807172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:37.041501045 CET498096110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:37.218277931 CET611049809172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:37.725533009 CET498096110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:37.902740002 CET611049809172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:38.413064957 CET498096110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:38.606342077 CET611049809172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:39.115875006 CET498096110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:39.294013023 CET611049809172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:39.803375006 CET498096110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:40.790137053 CET611049809172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:41.813607931 CET498166110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:41.976222992 CET611049816172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:42.490164995 CET498166110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:42.656023026 CET611049816172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:43.161834002 CET498166110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:43.330912113 CET611049816172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:43.833558083 CET498166110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:44.019136906 CET611049816172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:44.520960093 CET498166110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:44.687252998 CET611049816172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:45.695609093 CET498176110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:46.133512020 CET611049817172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:46.645481110 CET498176110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:46.821264029 CET611049817172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:47.332819939 CET498176110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:47.505533934 CET611049817172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:48.020308018 CET498176110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:48.193583012 CET611049817172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:48.707468987 CET498176110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:48.885680914 CET611049817172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:49.897425890 CET498196110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:50.072941065 CET611049819172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:50.582212925 CET498196110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:50.824712992 CET611049819172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:51.332093000 CET498196110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:51.508572102 CET611049819172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:52.019186974 CET498196110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:52.200375080 CET611049819172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:52.706732988 CET498196110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:52.884602070 CET611049819172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:53.896095991 CET498206110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:54.061736107 CET611049820172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:54.565732002 CET498206110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:54.733727932 CET611049820172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:55.237365961 CET498206110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:55.405459881 CET611049820172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:55.909164906 CET498206110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:56.077308893 CET611049820172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:56.580893040 CET498206110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:56.749423027 CET611049820172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:57.754939079 CET498216110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:57.921236992 CET611049821172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:58.424160004 CET498216110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:59.050299883 CET611049821172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:51:59.564516068 CET498216110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:51:59.733380079 CET611049821172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:52:00.236265898 CET498216110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:52:00.405827999 CET611049821172.111.251.34192.168.11.20
                                      Jan 23, 2022 06:52:00.907862902 CET498216110192.168.11.20172.111.251.34
                                      Jan 23, 2022 06:52:01.073436022 CET611049821172.111.251.34192.168.11.20
                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 23, 2022 06:51:15.569247007 CET6013953192.168.11.201.1.1.1
                                      Jan 23, 2022 06:51:16.426620960 CET5846053192.168.11.201.1.1.1
                                      Jan 23, 2022 06:51:20.520481110 CET5542953192.168.11.201.1.1.1
                                      Jan 23, 2022 06:51:20.532713890 CET53554291.1.1.1192.168.11.20
                                      Jan 23, 2022 06:52:21.624361992 CET5323353192.168.11.201.1.1.1
                                      Jan 23, 2022 06:52:21.635351896 CET53532331.1.1.1192.168.11.20
                                      Jan 23, 2022 06:53:22.609636068 CET4942653192.168.11.201.1.1.1
                                      Jan 23, 2022 06:53:22.622845888 CET53494261.1.1.1192.168.11.20
                                      Jan 23, 2022 06:54:24.533535004 CET5311153192.168.11.201.1.1.1
                                      Jan 23, 2022 06:54:24.546108961 CET53531111.1.1.1192.168.11.20
                                      Jan 23, 2022 06:55:27.144592047 CET5832853192.168.11.201.1.1.1
                                      Jan 23, 2022 06:55:27.156615973 CET53583281.1.1.1192.168.11.20
                                      Jan 23, 2022 06:56:29.771713018 CET4955153192.168.11.201.1.1.1
                                      Jan 23, 2022 06:56:29.782953024 CET53495511.1.1.1192.168.11.20
                                      Jan 23, 2022 06:57:30.148957014 CET5608853192.168.11.201.1.1.1
                                      Jan 23, 2022 06:57:30.160629988 CET53560881.1.1.1192.168.11.20
                                      Jan 23, 2022 06:58:37.633886099 CET4920853192.168.11.201.1.1.1
                                      Jan 23, 2022 06:58:37.645977020 CET53492081.1.1.1192.168.11.20
                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Jan 23, 2022 06:51:15.569247007 CET192.168.11.201.1.1.10xfa92Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                      Jan 23, 2022 06:51:16.426620960 CET192.168.11.201.1.1.10x6ad4Standard query (0)d34m1w.bn.files.1drv.comA (IP address)IN (0x0001)
                                      Jan 23, 2022 06:51:20.520481110 CET192.168.11.201.1.1.10xe900Standard query (0)olufem.ddns.netA (IP address)IN (0x0001)
                                      Jan 23, 2022 06:52:21.624361992 CET192.168.11.201.1.1.10x2bb2Standard query (0)olufem.ddns.netA (IP address)IN (0x0001)
                                      Jan 23, 2022 06:53:22.609636068 CET192.168.11.201.1.1.10xf638Standard query (0)olufem.ddns.netA (IP address)IN (0x0001)
                                      Jan 23, 2022 06:54:24.533535004 CET192.168.11.201.1.1.10xf4b6Standard query (0)olufem.ddns.netA (IP address)IN (0x0001)
                                      Jan 23, 2022 06:55:27.144592047 CET192.168.11.201.1.1.10xaa66Standard query (0)olufem.ddns.netA (IP address)IN (0x0001)
                                      Jan 23, 2022 06:56:29.771713018 CET192.168.11.201.1.1.10x29feStandard query (0)olufem.ddns.netA (IP address)IN (0x0001)
                                      Jan 23, 2022 06:57:30.148957014 CET192.168.11.201.1.1.10x2c5eStandard query (0)olufem.ddns.netA (IP address)IN (0x0001)
                                      Jan 23, 2022 06:58:37.633886099 CET192.168.11.201.1.1.10x9807Standard query (0)olufem.ddns.netA (IP address)IN (0x0001)
                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Jan 23, 2022 06:51:15.579026937 CET1.1.1.1192.168.11.200xfa92No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                      Jan 23, 2022 06:51:16.639554024 CET1.1.1.1192.168.11.200x6ad4No error (0)d34m1w.bn.files.1drv.combn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                      Jan 23, 2022 06:51:16.639554024 CET1.1.1.1192.168.11.200x6ad4No error (0)bn-files.fe.1drv.comodc-bn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                      Jan 23, 2022 06:51:20.532713890 CET1.1.1.1192.168.11.200xe900No error (0)olufem.ddns.net172.111.251.34A (IP address)IN (0x0001)
                                      Jan 23, 2022 06:52:21.635351896 CET1.1.1.1192.168.11.200x2bb2No error (0)olufem.ddns.net172.111.251.34A (IP address)IN (0x0001)
                                      Jan 23, 2022 06:53:22.622845888 CET1.1.1.1192.168.11.200xf638No error (0)olufem.ddns.net172.111.251.34A (IP address)IN (0x0001)
                                      Jan 23, 2022 06:54:24.546108961 CET1.1.1.1192.168.11.200xf4b6No error (0)olufem.ddns.net172.111.251.34A (IP address)IN (0x0001)
                                      Jan 23, 2022 06:55:27.156615973 CET1.1.1.1192.168.11.200xaa66No error (0)olufem.ddns.net172.111.251.34A (IP address)IN (0x0001)
                                      Jan 23, 2022 06:56:29.782953024 CET1.1.1.1192.168.11.200x29feNo error (0)olufem.ddns.net172.111.251.34A (IP address)IN (0x0001)
                                      Jan 23, 2022 06:57:30.160629988 CET1.1.1.1192.168.11.200x2c5eNo error (0)olufem.ddns.net172.111.251.34A (IP address)IN (0x0001)
                                      Jan 23, 2022 06:58:37.645977020 CET1.1.1.1192.168.11.200x9807No error (0)olufem.ddns.net172.111.251.34A (IP address)IN (0x0001)

                                      Click to jump to process

                                      Start time:06:50:41
                                      Start date:23/01/2022
                                      Path:C:\Users\user\Desktop\171121_PDF.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\171121_PDF.exe"
                                      Imagebase:0x400000
                                      File size:112464 bytes
                                      MD5 hash:60D8B8589BA8045361AE148EE76C7582
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Visual Basic
                                      Yara matches:
                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.95422336826.0000000002360000.00000040.00000001.sdmp, Author: Joe Security
                                      Reputation:low

                                      Start time:06:50:56
                                      Start date:23/01/2022
                                      Path:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\171121_PDF.exe"
                                      Imagebase:0xaa0000
                                      File size:480256 bytes
                                      MD5 hash:7871873BABCEA94FBA13900B561C7C55
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate

                                      Start time:06:50:57
                                      Start date:23/01/2022
                                      Path:C:\Program Files (x86)\Internet Explorer\ieinstal.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\171121_PDF.exe"
                                      Imagebase:0xaa0000
                                      File size:480256 bytes
                                      MD5 hash:7871873BABCEA94FBA13900B561C7C55
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000000.95166069748.0000000003000000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.100061830714.0000000003487000.00000004.00000020.sdmp, Author: Joe Security
                                      Reputation:moderate

                                      No disassembly