Source: xKBLVUHoY6.exe |
Virustotal: Detection: 36% |
Perma Link |
Source: http://212.193.0.40/redi_oXifXcNSpB69.binn |
Avira URL Cloud: Label: malware |
Source: http://212.193.0.40/redi_oXifXcNSpB69.bin~ |
Avira URL Cloud: Label: malware |
Source: http://212.193.0.40/redi_oXifXcNSpB69.bin |
Avira URL Cloud: Label: malware |
Source: http://212.193.0.40/redi_oXifXcNSpB69.binsvY |
Avira URL Cloud: Label: malware |
Source: http://212.193.0.40/redi_oXifXcNSpB69.bing |
Avira URL Cloud: Label: malware |
Source: http://212.193.0.40/redi_oXifXcNSpB69.binH |
Avira URL Cloud: Label: malware |
Source: http://212.193.0.40/redi_oXifXcNSpB69.binoe |
Avira URL Cloud: Label: malware |
Source: http://212.193.0.40/redi_oXifXcNSpB69.binZ |
Avira URL Cloud: Label: malware |
Source: http://212.193.0.40/redi_oXifXcNSpB69.binalm |
Avira URL Cloud: Label: malware |
Source: http://212.193.0.40/redi_oXifXcNSpB69.bin |
Virustotal: Detection: 15% |
Perma Link |
Source: 00000000.00000002.1475620205.0000000003360000.00000040.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "http://212.193.0.40/redi_oXifXcNSpB69.bin"} |
Source: xKBLVUHoY6.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: xKBLVUHoY6.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Code function: 0_2_0040290B FindFirstFileW, |
0_2_0040290B |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00405C13 |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Code function: 0_2_0040683D FindFirstFileW,FindClose, |
0_2_0040683D |
Source: Malware configuration extractor |
URLs: http://212.193.0.40/redi_oXifXcNSpB69.bin |
Source: global traffic |
TCP traffic: 192.168.11.20:49727 -> 212.193.0.40:80 |
Source: Joe Sandbox View |
ASN Name: ASBAXETNRU ASBAXETNRU |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 212.193.0.40 |
Source: CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.bin |
Source: CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binH |
Source: CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binZ |
Source: CasPol.exe, 00000003.00000002.5717397048.0000000001520000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binalm |
Source: CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.bing |
Source: CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binn |
Source: CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binoe |
Source: CasPol.exe, 00000003.00000002.5717397048.0000000001520000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binsvY |
Source: CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.bin~ |
Source: xKBLVUHoY6.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E |
Source: xKBLVUHoY6.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 |
Source: xKBLVUHoY6.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: xKBLVUHoY6.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: xKBLVUHoY6.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 |
Source: xKBLVUHoY6.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: xKBLVUHoY6.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: xKBLVUHoY6.exe |
String found in binary or memory: http://ocsp.digicert.com0A |
Source: xKBLVUHoY6.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: xKBLVUHoY6.exe |
String found in binary or memory: http://ocsp.digicert.com0X |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_004056A8 |
Source: xKBLVUHoY6.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_004034F7 |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
File created: C:\Windows\resources\0409 |
Jump to behavior |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Code function: 0_2_00406BFE |
0_2_00406BFE |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Code function: 0_2_6E551BFF |
0_2_6E551BFF |
Source: xKBLVUHoY6.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Section loaded: edgegdi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Section loaded: edgegdi.dll |
Jump to behavior |
Source: xKBLVUHoY6.exe |
Static PE information: invalid certificate |
Source: xKBLVUHoY6.exe |
Virustotal: Detection: 36% |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
File read: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Jump to behavior |
Source: xKBLVUHoY6.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\xKBLVUHoY6.exe "C:\Users\user\Desktop\xKBLVUHoY6.exe" |
|
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\xKBLVUHoY6.exe" |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\xKBLVUHoY6.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_004034F7 |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Lansat |
Jump to behavior |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
File created: C:\Users\user\AppData\Local\Temp\nsp4C13.tmp |
Jump to behavior |
Source: classification engine |
Classification label: mal88.troj.evad.winEXE@4/4@0/1 |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Code function: 0_2_004021AA CoCreateInstance, |
0_2_004021AA |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Code function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, |
0_2_00404954 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8764:304:WilStaging_02 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8764:120:WilError_03 |
Source: xKBLVUHoY6.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: Yara match |
File source: 00000000.00000002.1475620205.0000000003360000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000000.817511706.0000000001230000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.5715131175.0000000001230000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Code function: 0_2_6E5530C0 push eax; ret |
0_2_6E5530EE |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 3_2_0123154E push ds; retf |
3_2_012315DD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 3_2_012311C5 push esp; iretd |
3_2_012311C6 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Code function: 3_2_012349CC push ebp; ret |
3_2_012349CD |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Code function: 0_2_6E551BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_6E551BFF |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
File created: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: xKBLVUHoY6.exe, 00000000.00000002.1475805085.0000000003461000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL |
Source: xKBLVUHoY6.exe, 00000000.00000002.1475805085.0000000003461000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.5718346627.00000000015D1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: CasPol.exe, 00000003.00000002.5718346627.00000000015D1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=HTTP://212.193.0.40/REDI_OXIFXCNSPB69.BIN |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Code function: 0_2_0040290B FindFirstFileW, |
0_2_0040290B |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00405C13 |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Code function: 0_2_0040683D FindFirstFileW,FindClose, |
0_2_0040683D |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
System information queried: ModuleInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
API call chain: ExitProcess graph end node |
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Guest Shutdown Service |
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicshutdown |
Source: xKBLVUHoY6.exe, 00000000.00000002.1475805085.0000000003461000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll |
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V PowerShell Direct Service |
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Time Synchronization Service |
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicvss |
Source: CasPol.exe, 00000003.00000002.5718346627.00000000015D1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=http://212.193.0.40/redi_oXifXcNSpB69.bin |
Source: CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.5718112034.0000000001545000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: xKBLVUHoY6.exe, 00000000.00000002.1475805085.0000000003461000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.5718346627.00000000015D1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Data Exchange Service |
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Heartbeat Service |
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Guest Service Interface |
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicheartbeat |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Code function: 0_2_6E551BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_6E551BFF |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\xKBLVUHoY6.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe |
Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_004034F7 |