Source: Yara match |
File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY |
Source: CompanyLicense.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: global traffic |
TCP traffic: 192.168.2.4:49731 -> 185.140.53.253:2048 |
Source: Joe Sandbox View |
IP Address: 185.140.53.253 185.140.53.253 |
Source: unknown |
DNS traffic detected: queries for: onedrive.live.com |
Source: CompanyLicense.exe, 00000001.00000002.998526794.0000000000562000.00000040.00000001.sdmp |
String found in binary or memory: https://onedrive.live.com/download?cid=3EA7AF3CF2A8B6E2&resid=3EA7AF3CF2A8B6E2%21118&authkey=AM5VKIx |
Source: Yara match |
File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A08D5 EnumWindows,NtSetInformationThread, |
0_2_020A08D5 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A8B16 NtProtectVirtualMemory, |
0_2_020A8B16 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A474B NtSetInformationThread, |
0_2_020A474B |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A0D52 NtWriteVirtualMemory,TerminateProcess, |
0_2_020A0D52 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A8E25 NtProtectVirtualMemory, |
0_2_020A8E25 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A38A7 NtWriteVirtualMemory, |
0_2_020A38A7 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A34CD NtWriteVirtualMemory, |
0_2_020A34CD |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A36D0 NtWriteVirtualMemory, |
0_2_020A36D0 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A0917 NtSetInformationThread, |
0_2_020A0917 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A35EF NtWriteVirtualMemory, |
0_2_020A35EF |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A35E2 NtWriteVirtualMemory, |
0_2_020A35E2 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 1_2_00568B16 NtProtectVirtualMemory, |
1_2_00568B16 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 1_2_00568EC6 NtSetInformationThread, |
1_2_00568EC6 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 1_2_00569248 NtSetInformationThread, |
1_2_00569248 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 1_2_0056910C NtSetInformationThread, |
1_2_0056910C |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 1_2_00569436 NtSetInformationThread, |
1_2_00569436 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 1_2_00568FE0 NtSetInformationThread, |
1_2_00568FE0 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 1_2_005695B9 NtSetInformationThread, |
1_2_005695B9 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_004041A1 |
0_2_004041A1 |
Source: CompanyLicense.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Internering2.exe.1.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: CompanyLicense.exe, 00000000.00000002.667461596.0000000000415000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameSKULPTURUDSTILLING.exe vs CompanyLicense.exe |
Source: CompanyLicense.exe, 00000000.00000002.667883059.0000000002090000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs CompanyLicense.exe |
Source: CompanyLicense.exe, 00000001.00000000.666580572.0000000000415000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameSKULPTURUDSTILLING.exe vs CompanyLicense.exe |
Source: CompanyLicense.exe, 00000001.00000002.1001890961.000000001DEF0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs CompanyLicense.exe |
Source: CompanyLicense.exe, 00000001.00000002.1001872713.000000001DDA0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamemswsock.dll.muij% vs CompanyLicense.exe |
Source: CompanyLicense.exe |
Binary or memory string: OriginalFilenameSKULPTURUDSTILLING.exe vs CompanyLicense.exe |
Source: CompanyLicense.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@3/3@74/2 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
File created: C:\Users\user\AppData\Roaming\remcos |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Mutant created: \Sessions\1\BaseNamedObjects\idle-C625D6 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF35090EC034E56AF4.TMP |
Jump to behavior |
Source: CompanyLicense.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
File read: C:\Users\user\Desktop\CompanyLicense.exe |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\CompanyLicense.exe 'C:\Users\user\Desktop\CompanyLicense.exe' |
|
Source: unknown |
Process created: C:\Users\user\Desktop\CompanyLicense.exe 'C:\Users\user\Desktop\CompanyLicense.exe' |
|
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Process created: C:\Users\user\Desktop\CompanyLicense.exe 'C:\Users\user\Desktop\CompanyLicense.exe' |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 |
Jump to behavior |
Source: Yara match |
File source: 00000001.00000002.998526794.0000000000562000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: CompanyLicense.exe PID: 5148, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: CompanyLicense.exe PID: 5148, type: MEMORY |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_00405695 push edi; ret |
0_2_0040569C |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A5757 push edi; ret |
0_2_020A575A |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
File created: C:\Users\user\AppData\Local\Temp\Arsenation\Internering2.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid C:\Users\user\AppData\Local\Temp\Arsenation\Internering2.vbs |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid C:\Users\user\AppData\Local\Temp\Arsenation\Internering2.vbs |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Hamid |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A0D52 NtWriteVirtualMemory,TerminateProcess, |
0_2_020A0D52 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A0BD7 TerminateProcess, |
0_2_020A0BD7 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
RDTSC instruction interceptor: First address: 0000000000562BFB second address: 0000000000562BFB instructions: |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: CompanyLicense.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
RDTSC instruction interceptor: First address: 0000000000562BFB second address: 0000000000562BFB instructions: |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A0D52 rdtsc |
0_2_020A0D52 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Window / User API: threadDelayed 930 |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe TID: 6792 |
Thread sleep count: 930 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe TID: 6792 |
Thread sleep time: -9300000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Last function: Thread delayed |
Source: CompanyLicense.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A08D5 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,?,6DDC21B5,6DDB9555,?,321C9581,?,020A8349 |
0_2_020A08D5 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A0D52 rdtsc |
0_2_020A0D52 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A457E LdrInitializeThunk, |
0_2_020A457E |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A2C10 mov eax, dword ptr fs:[00000030h] |
0_2_020A2C10 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A2259 mov eax, dword ptr fs:[00000030h] |
0_2_020A2259 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A2C7B mov eax, dword ptr fs:[00000030h] |
0_2_020A2C7B |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A7679 mov eax, dword ptr fs:[00000030h] |
0_2_020A7679 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A3CAD mov eax, dword ptr fs:[00000030h] |
0_2_020A3CAD |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A833C mov eax, dword ptr fs:[00000030h] |
0_2_020A833C |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 0_2_020A6F42 mov eax, dword ptr fs:[00000030h] |
0_2_020A6F42 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 1_2_00566F42 mov eax, dword ptr fs:[00000030h] |
1_2_00566F42 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 1_2_00567679 mov eax, dword ptr fs:[00000030h] |
1_2_00567679 |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 1_2_0056833C mov eax, dword ptr fs:[00000030h] |
1_2_0056833C |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Code function: 1_2_00563CAB mov eax, dword ptr fs:[00000030h] |
1_2_00563CAB |
Source: C:\Users\user\Desktop\CompanyLicense.exe |
Process created: C:\Users\user\Desktop\CompanyLicense.exe 'C:\Users\user\Desktop\CompanyLicense.exe' |
Jump to behavior |
Source: CompanyLicense.exe, 00000001.00000002.998846227.0000000002527000.00000004.00000040.sdmp |
Binary or memory string: Program Manager |
Source: CompanyLicense.exe, 00000001.00000002.998765960.0000000000FC0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: CompanyLicense.exe, 00000001.00000002.998765960.0000000000FC0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: logs.dat.1.dr |
Binary or memory string: [ Program Manager ] |
Source: CompanyLicense.exe, 00000001.00000002.998765960.0000000000FC0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: CompanyLicense.exe, 00000001.00000002.998846227.0000000002527000.00000004.00000040.sdmp |
Binary or memory string: Program Managerrgo.org |
Source: CompanyLicense.exe, 00000001.00000002.998846227.0000000002527000.00000004.00000040.sdmp |
Binary or memory string: Program Manager9 |
Source: Yara match |
File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: CompanyLicense.exe PID: 6572, type: MEMORY |