Source: file.exe |
Virustotal: Detection: 44% |
Perma Link |
Source: file.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: file.exe, 00000000.00000002.1348689124.00000000006E8000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Users\user\Desktop\file.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00645C42 |
0_2_00645C42 |
Source: file.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: file.exe, 00000000.00000002.1348578831.0000000000600000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs file.exe |
Source: file.exe, 00000000.00000002.1349866018.00000000028C0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenamesmittende.exeFE2X vs file.exe |
Source: file.exe, 00000000.00000002.1348328819.0000000000418000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenamesmittende.exe vs file.exe |
Source: file.exe |
Binary or memory string: OriginalFilenamesmittende.exe vs file.exe |
Source: file.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal76.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFC7949FBBDA9531CE.TMP |
Jump to behavior |
Source: file.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: file.exe |
Virustotal: Detection: 44% |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 5932, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 5932, type: MEMORY |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040A045 push ebp; retf |
0_2_0040A046 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040A055 push ebp; retf |
0_2_0040A056 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040980A push cs; ret |
0_2_00409810 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00408896 push ebp; retf |
0_2_004088AA |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040A0B9 push ebp; retf |
0_2_0040A0BA |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00403980 pushad ; ret |
0_2_00403981 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004089A0 push ss; retf |
0_2_004089A6 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_004079B7 push edx; iretd |
0_2_004079E1 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040A2EC push edx; iretd |
0_2_0040A31A |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00409288 push edi; retf |
0_2_00409298 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040A349 push ebp; retf |
0_2_0040A34A |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00409332 push edi; retf |
0_2_00409340 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040A3C4 push esi; retf |
0_2_0040A3C6 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00409B91 push cs; ret |
0_2_00409BA0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00408C4D push ebp; retf |
0_2_00408C4E |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0040A528 push cs; retf |
0_2_0040A52A |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_006465B3 push eax; ret |
0_2_006465B4 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00644759 pushfd ; retf |
0_2_006447FD |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0064471C pushfd ; retf |
0_2_006447FD |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00641364 |
0_2_00641364 |
Source: file.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\file.exe |
RDTSC instruction interceptor: First address: 00000000006430D5 second address: 00000000006430D5 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov ecx, 00001000h 0x00000010 div ecx 0x00000012 test eax, ecx 0x00000014 cmp edx, 00000000h 0x00000017 jne 00007FC1E0914B20h 0x00000019 dec ebx 0x0000001a xor edx, edx 0x0000001c mov eax, ebx 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc |
Source: C:\Users\user\Desktop\file.exe |
RDTSC instruction interceptor: First address: 0000000000645D26 second address: 0000000000645D26 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FC1E0DCEFB8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test bx, dx 0x00000020 cmp bl, dl 0x00000022 add edi, edx 0x00000024 test dl, al 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007FC1E0DCEF5Fh 0x00000035 test bx, cx 0x00000038 test cx, dx 0x0000003b call 00007FC1E0DCEFE4h 0x00000040 call 00007FC1E0DCEFC8h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00642812 rdtsc |
0_2_00642812 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: file.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\file.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00642812 rdtsc |
0_2_00642812 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00643066 mov eax, dword ptr fs:[00000030h] |
0_2_00643066 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00643079 mov eax, dword ptr fs:[00000030h] |
0_2_00643079 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00645413 mov eax, dword ptr fs:[00000030h] |
0_2_00645413 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_006420B5 mov eax, dword ptr fs:[00000030h] |
0_2_006420B5 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0064599D mov eax, dword ptr fs:[00000030h] |
0_2_0064599D |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00641B81 mov eax, dword ptr fs:[00000030h] |
0_2_00641B81 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: file.exe, 00000000.00000002.1348748260.0000000000D70000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: file.exe, 00000000.00000002.1348748260.0000000000D70000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: file.exe, 00000000.00000002.1348748260.0000000000D70000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: file.exe, 00000000.00000002.1348748260.0000000000D70000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |