Source: order.exe |
Virustotal: Detection: 57% |
Perma Link |
Source: order.exe |
Metadefender: Detection: 35% |
Perma Link |
Source: order.exe |
ReversingLabs: Detection: 39% |
Source: order.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: initial sample |
Static PE information: Filename: order.exe |
Source: C:\Users\user\Desktop\order.exe |
Process Stats: CPU usage > 98% |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process Stats: CPU usage > 98% |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B001AE |
8_2_00B001AE |
Source: order.exe, 00000000.00000000.317526946.000000000041C000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameREVISIONSARBEJDET.exe vs order.exe |
Source: order.exe |
Binary or memory string: OriginalFilenameREVISIONSARBEJDET.exe vs order.exe |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: order.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal92.troj.evad.winEXE@4/0@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_01 |
Source: C:\Users\user\Desktop\order.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF9AF78BB154A6012A.TMP |
Jump to behavior |
Source: order.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\order.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\order.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: order.exe |
Virustotal: Detection: 57% |
Source: order.exe |
Metadefender: Detection: 35% |
Source: order.exe |
ReversingLabs: Detection: 39% |
Source: unknown |
Process created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe' |
|
Source: C:\Users\user\Desktop\order.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\order.exe' |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\order.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\order.exe' |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 6512, type: MEMORY |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B0569F push edi; retf |
8_2_00B0569E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B078F5 push ds; ret |
8_2_00B078F6 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B052EB push edi; retf |
8_2_00B05359 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B05617 push edi; retf |
8_2_00B05679 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B0567A push edi; retf |
8_2_00B05679 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B0567A push edi; retf |
8_2_00B0569E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B0537F push edi; retf |
8_2_00B0537E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B0535A push edi; retf |
8_2_00B05359 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B0535A push edi; retf |
8_2_00B0537E |
Source: C:\Users\user\Desktop\order.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B030B4 |
8_2_00B030B4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B032BE |
8_2_00B032BE |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B02C83 |
8_2_00B02C83 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B02C85 |
8_2_00B02C85 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B02CE6 |
8_2_00B02CE6 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B02ED9 |
8_2_00B02ED9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B0300D |
8_2_00B0300D |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B02E7C |
8_2_00B02E7C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B03050 |
8_2_00B03050 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B03657 |
8_2_00B03657 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B03640 |
8_2_00B03640 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B03248 |
8_2_00B03248 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B02FB6 |
8_2_00B02FB6 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B02DA6 |
8_2_00B02DA6 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B035F7 |
8_2_00B035F7 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B02DFD |
8_2_00B02DFD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B031DB |
8_2_00B031DB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B0373B |
8_2_00B0373B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B0372A |
8_2_00B0372A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B02910 |
8_2_00B02910 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B0311A |
8_2_00B0311A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B03176 |
8_2_00B03176 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B03752 |
8_2_00B03752 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B02D42 |
8_2_00B02D42 |
Source: C:\Users\user\Desktop\order.exe |
RDTSC instruction interceptor: First address: 0000000002115779 second address: 0000000002115779 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAC50D99578h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, 0BE2h 0x00000022 pop ecx 0x00000023 test bl, cl 0x00000025 add edi, edx 0x00000027 cmp cx, DF6Fh 0x0000002c dec ecx 0x0000002d jmp 00007FAC50D995BAh 0x0000002f test bh, dh 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAC50D994C2h 0x0000003a jmp 00007FAC50D995B2h 0x0000003c test dx, ax 0x0000003f cmp eax, ebx 0x00000041 push ecx 0x00000042 cmp ebx, ebx 0x00000044 call 00007FAC50D995ECh 0x00000049 call 00007FAC50D99588h 0x0000004e lfence 0x00000051 mov edx, dword ptr [7FFE0014h] 0x00000057 lfence 0x0000005a ret 0x0000005b mov esi, edx 0x0000005d pushad 0x0000005e rdtsc |
Source: C:\Users\user\Desktop\order.exe |
RDTSC instruction interceptor: First address: 0000000002110F1E second address: 0000000002110F1E instructions: |
Source: C:\Users\user\Desktop\order.exe |
RDTSC instruction interceptor: First address: 0000000002114FD8 second address: 0000000002114FD8 instructions: |
Source: C:\Users\user\Desktop\order.exe |
RDTSC instruction interceptor: First address: 000000000211501A second address: 000000000211501A instructions: |
Source: C:\Users\user\Desktop\order.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\order.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: RegAsm.exe |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\order.exe |
RDTSC instruction interceptor: First address: 0000000002115779 second address: 0000000002115779 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FAC50D99578h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, 0BE2h 0x00000022 pop ecx 0x00000023 test bl, cl 0x00000025 add edi, edx 0x00000027 cmp cx, DF6Fh 0x0000002c dec ecx 0x0000002d jmp 00007FAC50D995BAh 0x0000002f test bh, dh 0x00000031 cmp ecx, 00000000h 0x00000034 jne 00007FAC50D994C2h 0x0000003a jmp 00007FAC50D995B2h 0x0000003c test dx, ax 0x0000003f cmp eax, ebx 0x00000041 push ecx 0x00000042 cmp ebx, ebx 0x00000044 call 00007FAC50D995ECh 0x00000049 call 00007FAC50D99588h 0x0000004e lfence 0x00000051 mov edx, dword ptr [7FFE0014h] 0x00000057 lfence 0x0000005a ret 0x0000005b mov esi, edx 0x0000005d pushad 0x0000005e rdtsc |
Source: C:\Users\user\Desktop\order.exe |
RDTSC instruction interceptor: First address: 0000000002115B71 second address: 0000000002115B71 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FAC50D9BD0Bh 0x0000001d popad 0x0000001e jmp 00007FAC50D96A66h 0x00000020 test ecx, ecx 0x00000022 call 00007FAC50D96A6Eh 0x00000027 lfence 0x0000002a rdtsc |
Source: C:\Users\user\Desktop\order.exe |
RDTSC instruction interceptor: First address: 0000000002110F1E second address: 0000000002110F1E instructions: |
Source: C:\Users\user\Desktop\order.exe |
RDTSC instruction interceptor: First address: 0000000002114FD8 second address: 0000000002114FD8 instructions: |
Source: C:\Users\user\Desktop\order.exe |
RDTSC instruction interceptor: First address: 000000000211501A second address: 000000000211501A instructions: |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B030B4 rdtsc |
8_2_00B030B4 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: RegAsm.exe |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\order.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\order.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B030B4 rdtsc |
8_2_00B030B4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B02C83 mov eax, dword ptr fs:[00000030h] |
8_2_00B02C83 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B03AC5 mov eax, dword ptr fs:[00000030h] |
8_2_00B03AC5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B03AC7 mov eax, dword ptr fs:[00000030h] |
8_2_00B03AC7 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B03640 mov eax, dword ptr fs:[00000030h] |
8_2_00B03640 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B0A5BF mov eax, dword ptr fs:[00000030h] |
8_2_00B0A5BF |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B053F5 mov eax, dword ptr fs:[00000030h] |
8_2_00B053F5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B053F7 mov eax, dword ptr fs:[00000030h] |
8_2_00B053F7 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B03B2A mov eax, dword ptr fs:[00000030h] |
8_2_00B03B2A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Code function: 8_2_00B0910E mov eax, dword ptr fs:[00000030h] |
8_2_00B0910E |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\order.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B00000 |
Jump to behavior |
Source: C:\Users\user\Desktop\order.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\order.exe' |
Jump to behavior |
Source: RegAsm.exe, 00000008.00000002.582948928.0000000001340000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: RegAsm.exe, 00000008.00000002.582948928.0000000001340000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: RegAsm.exe, 00000008.00000002.582948928.0000000001340000.00000002.00000001.sdmp |
Binary or memory string: &Program Manager |
Source: RegAsm.exe, 00000008.00000002.582948928.0000000001340000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |