Source: OPDATERINGSDISKETTES.exe |
Virustotal: Detection: 21% |
Perma Link |
Source: OPDATERINGSDISKETTES.exe |
ReversingLabs: Detection: 10% |
Source: OPDATERINGSDISKETTES.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
Code function: 0_2_00402029 |
0_2_00402029 |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
Code function: 0_2_00401A29 |
0_2_00401A29 |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
Code function: 0_2_004019DC |
0_2_004019DC |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
Code function: 0_2_004017E9 |
0_2_004017E9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: OPDATERINGSDISKETTES.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal84.troj.evad.winEXE@4/0@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01 |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFA3B2BCDEB5667DD5.TMP |
Jump to behavior |
Source: OPDATERINGSDISKETTES.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: OPDATERINGSDISKETTES.exe |
Virustotal: Detection: 21% |
Source: OPDATERINGSDISKETTES.exe |
ReversingLabs: Detection: 10% |
Source: unknown |
Process created: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe 'C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe' |
|
Source: unknown |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe' |
|
Source: unknown |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe' |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 1948, type: MEMORY |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
Code function: 0_2_00405D44 push ebx; iretd |
0_2_00405D4B |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
Code function: 0_2_0040BF54 push edi; retn 0004h |
0_2_0040C441 |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
Code function: 0_2_00403D0E push ds; retf |
0_2_00403D28 |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
Code function: 0_2_00406BF3 push ebx; retf |
0_2_00406BF4 |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
Code function: 0_2_0040B1BD push edi; retn 0004h |
0_2_0040C441 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B009AD push ss; retf |
14_2_00B009B5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B02907 pushfd ; iretd |
14_2_00B03541 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B00B83 push ss; retf |
14_2_00B00B8B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B005B3 pushfd ; iretd |
14_2_00B03541 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B0050D pushfd ; iretd |
14_2_00B03541 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B0068F pushfd ; iretd |
14_2_00B03541 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B03ECD pushfd ; iretd |
14_2_00B03541 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B0060F pushfd ; iretd |
14_2_00B03541 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B00707 pushfd ; iretd |
14_2_00B03541 |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B013F1 |
14_2_00B013F1 |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
RDTSC instruction interceptor: First address: 0000000000622878 second address: 0000000000622878 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FA66039AC58h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 test esi, 5AFA4577h 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007FA66039AC3Ah 0x0000002c push ecx 0x0000002d test ch, 00000041h 0x00000030 call 00007FA66039AC6Dh 0x00000035 call 00007FA66039AC68h 0x0000003a lfence 0x0000003d mov edx, dword ptr [7FFE0014h] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: RegAsm.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
RDTSC instruction interceptor: First address: 0000000000622878 second address: 0000000000622878 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FA66039AC58h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 test esi, 5AFA4577h 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007FA66039AC3Ah 0x0000002c push ecx 0x0000002d test ch, 00000041h 0x00000030 call 00007FA66039AC6Dh 0x00000035 call 00007FA66039AC68h 0x0000003a lfence 0x0000003d mov edx, dword ptr [7FFE0014h] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
RDTSC instruction interceptor: First address: 0000000000622A2D second address: 0000000000622A2D instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FA660B0C492h 0x0000001d popad 0x0000001e call 00007FA660B0A08Dh 0x00000023 lfence 0x00000026 rdtsc |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B018B7 rdtsc |
14_2_00B018B7 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: RegAsm.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B018B7 rdtsc |
14_2_00B018B7 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B051AB mov eax, dword ptr fs:[00000030h] |
14_2_00B051AB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B051DF mov eax, dword ptr fs:[00000030h] |
14_2_00B051DF |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B01AF3 mov eax, dword ptr fs:[00000030h] |
14_2_00B01AF3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B04ACA mov eax, dword ptr fs:[00000030h] |
14_2_00B04ACA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B013F1 mov eax, dword ptr fs:[00000030h] |
14_2_00B013F1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B044BF mov eax, dword ptr fs:[00000030h] |
14_2_00B044BF |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B04498 mov eax, dword ptr fs:[00000030h] |
14_2_00B04498 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 14_2_00B0272D mov eax, dword ptr fs:[00000030h] |
14_2_00B0272D |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\OPDATERINGSDISKETTES.exe' |
Jump to behavior |
Source: OPDATERINGSDISKETTES.exe, 00000000.00000002.471694785.0000000000CC0000.00000002.00000001.sdmp, RegAsm.exe, 0000000E.00000002.470676447.0000000001360000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: OPDATERINGSDISKETTES.exe, 00000000.00000002.471694785.0000000000CC0000.00000002.00000001.sdmp, RegAsm.exe, 0000000E.00000002.470676447.0000000001360000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: OPDATERINGSDISKETTES.exe, 00000000.00000002.471694785.0000000000CC0000.00000002.00000001.sdmp, RegAsm.exe, 0000000E.00000002.470676447.0000000001360000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: OPDATERINGSDISKETTES.exe, 00000000.00000002.471694785.0000000000CC0000.00000002.00000001.sdmp, RegAsm.exe, 0000000E.00000002.470676447.0000000001360000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |