Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Virustotal: Detection: 17% |
Perma Link |
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Process Stats: CPU usage > 98% |
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514114800.0000000000411000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameAltrets8.exe vs SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514536414.00000000020A0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Binary or memory string: OriginalFilenameAltrets8.exe vs SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal76.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF787D259C8D513009.TMP |
Jump to behavior |
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Virustotal: Detection: 17% |
Source: Yara match |
File source: Process Memory Space: SecuriteInfo.com.Generic.mg.354e60543438661b.exe PID: 1340, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: SecuriteInfo.com.Generic.mg.354e60543438661b.exe PID: 1340, type: MEMORY |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_0040742D pushfd ; ret |
0_2_00407440 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_0040368F push cs; retf |
0_2_00403690 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B120A2 push ss; retf |
0_2_02B120AC |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B1207B push ss; retf |
0_2_02B12085 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B11EDC push ss; retf |
0_2_02B11EE6 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B11F03 push ss; retf |
0_2_02B11F0D |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B14D8C push esi; iretd |
0_2_02B14D8D |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B11A68 |
0_2_02B11A68 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B11A6D |
0_2_02B11A6D |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B11B15 |
0_2_02B11B15 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B11B64 |
0_2_02B11B64 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B12820 |
0_2_02B12820 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B1286A |
0_2_02B1286A |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B159C5 |
0_2_02B159C5 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B126AE |
0_2_02B126AE |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B1264C |
0_2_02B1264C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B11F55 |
0_2_02B11F55 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B125C2 |
0_2_02B125C2 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B125C4 |
0_2_02B125C4 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
RDTSC instruction interceptor: First address: 0000000002B10593 second address: 0000000002B10593 instructions: |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
RDTSC instruction interceptor: First address: 0000000002B1691D second address: 0000000002B1691D instructions: |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
RDTSC instruction interceptor: First address: 0000000002B169E0 second address: 0000000002B169E0 instructions: |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
RDTSC instruction interceptor: First address: 0000000002B16A8F second address: 0000000002B16A8F instructions: |
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE9 |
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
RDTSC instruction interceptor: First address: 0000000002B10593 second address: 0000000002B10593 instructions: |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
RDTSC instruction interceptor: First address: 0000000002B1691D second address: 0000000002B1691D instructions: |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
RDTSC instruction interceptor: First address: 0000000002B169E0 second address: 0000000002B169E0 instructions: |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
RDTSC instruction interceptor: First address: 0000000002B16A8F second address: 0000000002B16A8F instructions: |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
RDTSC instruction interceptor: First address: 0000000002B165F8 second address: 0000000002B165F8 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F9F88BAB418h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F9F88BAB406h 0x0000001f test ebx, 410FB02Fh 0x00000025 add edi, edx 0x00000027 test ax, cx 0x0000002a dec dword ptr [ebp+000000F8h] 0x00000030 cmp al, cl 0x00000032 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000039 jne 00007F9F88BAB359h 0x0000003b cmp bl, cl 0x0000003d call 00007F9F88BAB43Ch 0x00000042 call 00007F9F88BAB428h 0x00000047 lfence 0x0000004a mov edx, dword ptr [7FFE0014h] 0x00000050 lfence 0x00000053 ret 0x00000054 mov esi, edx 0x00000056 pushad 0x00000057 rdtsc |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B172A2 rdtsc |
0_2_02B172A2 |
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1515270635.0000000002B10000.00000040.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe9 |
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B172A2 rdtsc |
0_2_02B172A2 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B162F3 mov eax, dword ptr fs:[00000030h] |
0_2_02B162F3 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B12820 mov eax, dword ptr fs:[00000030h] |
0_2_02B12820 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B1286A mov eax, dword ptr fs:[00000030h] |
0_2_02B1286A |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B137B6 mov eax, dword ptr fs:[00000030h] |
0_2_02B137B6 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B11F55 mov eax, dword ptr fs:[00000030h] |
0_2_02B11F55 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B16D8A mov eax, dword ptr fs:[00000030h] |
0_2_02B16D8A |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B16D34 mov eax, dword ptr fs:[00000030h] |
0_2_02B16D34 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.354e60543438661b.exe |
Code function: 0_2_02B15D47 mov eax, dword ptr fs:[00000030h] |
0_2_02B15D47 |
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514476148.0000000000C80000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514476148.0000000000C80000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514476148.0000000000C80000.00000002.00000001.sdmp |
Binary or memory string: &Program Manager |
Source: SecuriteInfo.com.Generic.mg.354e60543438661b.exe, 00000000.00000002.1514476148.0000000000C80000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |