Source: Hotelization1.exe |
ReversingLabs: Detection: 21% |
Source: Hotelization1.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 4x nop then jne 020E5481h |
0_2_020E5491 |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_00402659 |
0_2_00402659 |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_0040185A |
0_2_0040185A |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_00402609 |
0_2_00402609 |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_0040180D |
0_2_0040180D |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_0040161E |
0_2_0040161E |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_004028EF |
0_2_004028EF |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_004026FA |
0_2_004026FA |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_004026A4 |
0_2_004026A4 |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_004024B5 |
0_2_004024B5 |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_0040274C |
0_2_0040274C |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_00402564 |
0_2_00402564 |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_0040250C |
0_2_0040250C |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_004027C8 |
0_2_004027C8 |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_004027A7 |
0_2_004027A7 |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_004027B6 |
0_2_004027B6 |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_004025BC |
0_2_004025BC |
Source: Hotelization1.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal68.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\Hotelization1.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF3AF5D2DA9F942D5F.TMP |
Jump to behavior |
Source: Hotelization1.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Hotelization1.exe |
ReversingLabs: Detection: 21% |
Source: Yara match |
File source: Process Memory Space: Hotelization1.exe PID: 3360, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Hotelization1.exe PID: 3360, type: MEMORY |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_00406437 push ds; iretd |
0_2_00406439 |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_00403EA3 push esi; retf |
0_2_00403EBB |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_0040274C push eax; retf |
0_2_0040274B |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_00402FFF push ds; ret |
0_2_00403002 |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Hotelization1.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\Hotelization1.exe |
RDTSC instruction interceptor: First address: 00000000020E2761 second address: 00000000020E2761 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6560A1C59Dh 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e cmp bh, ch 0x00000020 pushad 0x00000021 mov bh, 82h 0x00000023 cmp bh, FFFFFF82h 0x00000026 jne 00007F6560A1BC79h 0x0000002c popad 0x0000002d add edi, edx 0x0000002f test bl, al 0x00000031 dec ecx 0x00000032 cmp ecx, 00000000h 0x00000035 jne 00007F6560A1C53Fh 0x00000037 push ecx 0x00000038 test ah, 00000038h 0x0000003b call 00007F6560A1C588h 0x00000040 call 00007F6560A1C5ADh 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_020E2030 rdtsc |
0_2_020E2030 |
Source: Hotelization1.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_020E2030 rdtsc |
0_2_020E2030 |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_020E1A0A mov eax, dword ptr fs:[00000030h] |
0_2_020E1A0A |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_020E1827 mov eax, dword ptr fs:[00000030h] |
0_2_020E1827 |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_020E4A9E mov eax, dword ptr fs:[00000030h] |
0_2_020E4A9E |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_020E50DF mov eax, dword ptr fs:[00000030h] |
0_2_020E50DF |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_020E50DA mov eax, dword ptr fs:[00000030h] |
0_2_020E50DA |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_020E4358 mov eax, dword ptr fs:[00000030h] |
0_2_020E4358 |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_020E13C1 mov eax, dword ptr fs:[00000030h] |
0_2_020E13C1 |
Source: C:\Users\user\Desktop\Hotelization1.exe |
Code function: 0_2_020E25EE mov eax, dword ptr fs:[00000030h] |
0_2_020E25EE |
Source: Hotelization1.exe, 00000000.00000002.734355506.0000000000C60000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: Hotelization1.exe, 00000000.00000002.734355506.0000000000C60000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Hotelization1.exe, 00000000.00000002.734355506.0000000000C60000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: Hotelization1.exe, 00000000.00000002.734355506.0000000000C60000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |