Source: AAN2101002-V017..exe | Virustotal: Detection: 11% | Perma Link |
Source: AAN2101002-V017..exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_0040CEDB |
Source: AAN2101002-V017..exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: AAN2101002-V017..exe, 00000000.00000000.228543860.0000000000416000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenamesubcasino.exe vs AAN2101002-V017..exe |
Source: AAN2101002-V017..exe, 00000000.00000002.1225434392.00000000020A0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameuser32j% vs AAN2101002-V017..exe |
Source: AAN2101002-V017..exe | Binary or memory string: OriginalFilenamesubcasino.exe vs AAN2101002-V017..exe |
Source: AAN2101002-V017..exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine | Classification label: mal80.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | File created: C:\Users\user\AppData\Local\Temp\~DF7E8BA7E2AA2205F3.TMP | Jump to behavior |
Source: AAN2101002-V017..exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: AAN2101002-V017..exe | Virustotal: Detection: 11% |
Source: Yara match | File source: Process Memory Space: AAN2101002-V017..exe PID: 1064, type: MEMORY |
Source: Yara match | File source: Process Memory Space: AAN2101002-V017..exe PID: 1064, type: MEMORY |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_0040F877 push cs; ret |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_0040BC14 push cs; retf |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_0040B02B push cs; retf |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_0040D519 push eax; iretd |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_0040F70F push cs; ret |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_0040F39D push edx; retf |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D5201 |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D7248 |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D1A9C |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D2A9E |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D72A6 |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D32FD |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D7317 |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D2B28 |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D2BA5 |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D1813 |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D6C79 |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D2C87 |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D2CF2 |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D2D7C |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D5D89 |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D61B3 |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D71D9 |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D2DD4 |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D71D7 |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | System information queried: CurrentTimeZoneInformation |
Source: AAN2101002-V017..exe, 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp | Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | RDTSC instruction interceptor: First address: 00000000020D37CF second address: 00000000020D37CF instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FA3A0B0F2B8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e nop 0x0000001f jmp 00007FA3A0B0F2DEh 0x00000021 cmp cx, cx 0x00000024 add edi, edx 0x00000026 cmp ecx, eax 0x00000028 dec ecx 0x00000029 test eax, D4DD871Eh 0x0000002e cmp ecx, 00000000h 0x00000031 jne 00007FA3A0B0F260h 0x00000033 test eax, E413EFD2h 0x00000038 push ecx 0x00000039 test eax, ebx 0x0000003b test dl, FFFFFFBDh 0x0000003e call 00007FA3A0B0F30Ch 0x00000043 call 00007FA3A0B0F2C8h 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D7E0D rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: AAN2101002-V017..exe, 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D7E0D rdtsc |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D225F mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D62B2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D1F97 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D689A mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D24BF mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D24D2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D35C1 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D35C3 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D71D9 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D71D7 mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmp | Binary or memory string: SProgram Managerl |
Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd, |
Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\AAN2101002-V017..exe | Code function: 0_2_020D69A8 cpuid |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.