Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Virustotal: Detection: 21% |
Perma Link |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
ReversingLabs: Detection: 17% |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Process Stats: CPU usage > 98% |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe, 00000000.00000000.665571809.0000000000414000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameKROKODILLERNES.exe vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe, 00000000.00000002.1839903330.00000000021D0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Binary or memory string: OriginalFilenameKROKODILLERNES.exe vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal80.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFB078FDF516815AF8.TMP |
Jump to behavior |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Virustotal: Detection: 21% |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
ReversingLabs: Detection: 17% |
Source: Yara match |
File source: Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe PID: 1664, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe PID: 1664, type: MEMORY |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_004018BA push es; retf |
0_2_004018C0 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_0040ABB2 push ebp; retf |
0_2_0040ABB4 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_00406400 push FFFFFFCBh; retf |
0_2_004064A7 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_0040AC32 push ecx; retf |
0_2_0040AC34 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_00406D70 push es; retf |
0_2_00406D71 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_00406E5D push ebx; retf |
0_2_00406E61 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_0040AFEB push ebp; retf |
0_2_0040AFEC |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02217551 push eax; ret |
0_2_02217545 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02214F49 push edi; iretd |
0_2_02214F4B |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02211B27 |
0_2_02211B27 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
RDTSC instruction interceptor: First address: 00000000022169AF second address: 00000000022169AF instructions: |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
RDTSC instruction interceptor: First address: 00000000022169AF second address: 00000000022169AF instructions: |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
RDTSC instruction interceptor: First address: 00000000022137FF second address: 00000000022137FF instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FBB28C0FCF8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp bl, bl 0x0000001f test ah, bh 0x00000021 pop ecx 0x00000022 jmp 00007FBB28C0FD1Ah 0x00000024 test edi, 6D6DB559h 0x0000002a add edi, edx 0x0000002c cmp dh, bh 0x0000002e dec ecx 0x0000002f cmp ecx, 00000000h 0x00000032 jne 00007FBB28C0FCA7h 0x00000034 test bl, cl 0x00000036 push ecx 0x00000037 cmp bl, dl 0x00000039 test ch, ch 0x0000003b call 00007FBB28C0FD46h 0x00000040 call 00007FBB28C0FD08h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02212201 rdtsc |
0_2_02212201 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02212201 rdtsc |
0_2_02212201 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_022162BF mov eax, dword ptr fs:[00000030h] |
0_2_022162BF |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_0221730E mov eax, dword ptr fs:[00000030h] |
0_2_0221730E |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02217375 mov eax, dword ptr fs:[00000030h] |
0_2_02217375 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_0221738D mov eax, dword ptr fs:[00000030h] |
0_2_0221738D |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_022121E1 mov eax, dword ptr fs:[00000030h] |
0_2_022121E1 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_022121CA mov eax, dword ptr fs:[00000030h] |
0_2_022121CA |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_022121D9 mov eax, dword ptr fs:[00000030h] |
0_2_022121D9 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02213629 mov eax, dword ptr fs:[00000030h] |
0_2_02213629 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02213606 mov eax, dword ptr fs:[00000030h] |
0_2_02213606 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02211B27 mov eax, dword ptr fs:[00000030h] |
0_2_02211B27 |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_0221699D mov eax, dword ptr fs:[00000030h] |
0_2_0221699D |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe, 00000000.00000002.1839681100.0000000000D80000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe, 00000000.00000002.1839681100.0000000000D80000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe, 00000000.00000002.1839681100.0000000000D80000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe, 00000000.00000002.1839681100.0000000000D80000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_CO.exe |
Code function: 0_2_02215371 cpuid |
0_2_02215371 |