Source: Aflytter2.exe | ReversingLabs: Detection: 25% |
Source: Aflytter2.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Aflytter2.exe, 00000000.00000002.1172614302.000000000073A000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
Source: C:\Users\user\Desktop\Aflytter2.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_00408F84 |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_00408FEF |
Source: Aflytter2.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine | Classification label: mal88.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\Aflytter2.exe | File created: C:\Users\user\AppData\Local\Temp\~DFD7FD3B0C05107E2A.TMP | Jump to behavior |
Source: Aflytter2.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Aflytter2.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: C:\Users\user\Desktop\Aflytter2.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: Aflytter2.exe | ReversingLabs: Detection: 25% |
Source: Yara match | File source: Process Memory Space: Aflytter2.exe PID: 7120, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Aflytter2.exe PID: 7120, type: MEMORY |
Source: Aflytter2.exe | Static PE information: real checksum: 0x25dde should be: 0x25236 |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004080B4 pushfd ; retf |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_00404594 push ebx; ret |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F1006 push esp; iretd |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F103E push esp; iretd |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F10D8 push esp; iretd |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F54EC push esp; iretd |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F54EA push esp; iretd |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F1165 push esp; iretd |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F090B push esp; iretd |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F111F push esp; iretd |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F0FCD push esp; iretd |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F0FC5 push esp; iretd |
Source: C:\Users\user\Desktop\Aflytter2.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Aflytter2.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Aflytter2.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F090B |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F092C |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F09C6 |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F0983 |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F0A06 |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F0A04 |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F0A36 |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F0A31 |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F0AC6 |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F0A82 |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F0B4D |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F0B23 |
Source: Aflytter2.exe | Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\Aflytter2.exe | RDTSC instruction interceptor: First address: 000000000040931D second address: 000000000040931D instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 29h 0x00000005 cmp eax, 000000B6h 0x0000000a cmp eax, 000000EEh 0x0000000f cmp ebx, 000000FDh 0x00000015 cmp ebx, 000000B4h 0x0000001b cmp eax, 00000092h 0x00000020 fprem 0x00000022 fxch st(0), st(1) 0x00000024 psubd xmm5, xmm1 0x00000028 fmulp st(1), st(0) 0x0000002a fldlg2 0x0000002c fsub st(0), st(0) 0x0000002e jmp 00007F576C967319h 0x00000030 cmp eax, 2Ch 0x00000033 cmp eax, 1Ah 0x00000036 cmp eax, 000000ACh 0x0000003b cmp edi, 02EAFF40h 0x00000041 movd mm1, ebx 0x00000044 movd mm1, ebx 0x00000047 movd mm1, ebx 0x0000004a movd mm1, ebx 0x0000004d psrlw mm7, DAh 0x00000051 lfence 0x00000054 emms 0x00000056 fst st(5) 0x00000058 fyl2x 0x0000005a fmulp st(0), st(0) 0x0000005c wait 0x0000005d fninit 0x0000005f jmp 00007F576C967318h 0x00000061 jne 00007F576C967127h 0x00000067 inc edi 0x00000068 cmp ebx, 70h 0x0000006b cmp eax, 25h 0x0000006e cmp ebx, 000000BFh 0x00000074 cmp ebx, 000000CEh 0x0000007a cmp ebx, 07h 0x0000007d cmp eax, 000000DDh 0x00000082 punpckhwd mm3, mm4 0x00000085 fsincos 0x00000087 pcmpgtd xmm0, xmm2 0x0000008b fscale 0x0000008d punpckhbw mm3, mm4 0x00000090 psubusb xmm7, xmm2 0x00000094 psrad mm6, mm2 0x00000097 jmp 00007F576C967318h 0x00000099 cmp eax, 27h 0x0000009c rdtsc |
Source: C:\Users\user\Desktop\Aflytter2.exe | RDTSC instruction interceptor: First address: 00000000004F0508 second address: 00000000004F5E9B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007F576C956E2Ah 0x00000005 cmp dh, ah 0x00000007 push 7F21185Bh 0x0000000c jmp 00007F576C956E2Ah 0x0000000e cmp dh, dh 0x00000010 push 3E17ADE6h 0x00000015 jmp 00007F576C956E2Ah 0x00000017 cmp edx, eax 0x00000019 push F21FD920h 0x0000001e test ebx, ecx 0x00000020 push 27AA3188h 0x00000025 test bx, cx 0x00000028 test eax, ebx 0x0000002a push DFCB8F12h 0x0000002f jmp 00007F576C956E2Ah 0x00000031 test bx, dx 0x00000034 cmp edx, ecx 0x00000036 test ax, cx 0x00000039 push 2D9CC76Ch 0x0000003e call 00007F576C95C6D7h 0x00000043 cmp ah, FFFFFFE7h 0x00000046 test edx, edx 0x00000048 cmp dh, ch 0x0000004a cmp bh, 00000014h 0x0000004d jmp 00007F576C956E2Ah 0x0000004f cmp dh, 0000003Ch 0x00000052 test cx, ax 0x00000055 pushad 0x00000056 lfence 0x00000059 rdtsc |
Source: C:\Users\user\Desktop\Aflytter2.exe | RDTSC instruction interceptor: First address: 00000000004F5EE8 second address: 00000000004F5F39 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub esp, 00000100h 0x00000011 mov edi, esp 0x00000013 cmp ah, FFFFFFE8h 0x00000016 add esp, 00000100h 0x0000001c test edx, edx 0x0000001e mov dword ptr [edi+28h], eax 0x00000021 cmp dh, ch 0x00000023 mov esi, 0000F000h 0x00000028 jmp 00007F576C9672DAh 0x0000002a test ax, cx 0x0000002d test ebx, 05E8210Ch 0x00000033 test bl, cl 0x00000035 pushad 0x00000036 lfence 0x00000039 rdtsc |
Source: C:\Users\user\Desktop\Aflytter2.exe | RDTSC instruction interceptor: First address: 00000000004F5F39 second address: 00000000004F5F90 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp ah, FFFFFF85h 0x0000000e add esi, 00001000h 0x00000014 test edx, edx 0x00000016 cmp esi, 0000F000h 0x0000001c je 00007F576C9570C7h 0x00000022 cmp dh, ch 0x00000024 cmp bh, FFFFFFF6h 0x00000027 jmp 00007F576C956E2Ah 0x00000029 cmp dh, FFFFFFCCh 0x0000002c cmp esi, 7FFFF000h 0x00000032 je 00007F576C957099h 0x00000038 test cx, ax 0x0000003b pushad 0x0000003c lfence 0x0000003f rdtsc |
Source: C:\Users\user\Desktop\Aflytter2.exe | RDTSC instruction interceptor: First address: 00000000004F5F90 second address: 00000000004F5FD5 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push 00000000h 0x0000000d cmp ah, FFFFFFDCh 0x00000010 test edx, edx 0x00000012 push 0000001Ch 0x00000014 cmp dh, ch 0x00000016 push edi 0x00000017 cmp bh, FFFFFFA3h 0x0000001a cmp al, al 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f push FFFFFFFFh 0x00000021 jmp 00007F576C9672DAh 0x00000023 cmp edi, 25C79B16h 0x00000029 pushad 0x0000002a lfence 0x0000002d rdtsc |
Source: C:\Users\user\Desktop\Aflytter2.exe | RDTSC instruction interceptor: First address: 00000000004F33A5 second address: 00000000004F33A5 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F576C956E34h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp ecx, ecx 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F576C956E2Ah 0x00000024 cmp bh, FFFFFFDCh 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F576C956DDDh 0x0000002d test cx, 237Ch 0x00000032 test dl, dl 0x00000034 push ecx 0x00000035 call 00007F576C956E4Bh 0x0000003a call 00007F576C956E44h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_00408F84 rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Aflytter2.exe | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\Aflytter2.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_00408F84 rdtsc |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F54C2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F5D5D mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F31F8 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F664B mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F660D mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F6632 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F22EC mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F22E6 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F2285 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F231F mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Aflytter2.exe, 00000000.00000002.1172746595.0000000000CC0000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: Aflytter2.exe, 00000000.00000002.1172746595.0000000000CC0000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: Aflytter2.exe, 00000000.00000002.1172746595.0000000000CC0000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: Aflytter2.exe, 00000000.00000002.1172746595.0000000000CC0000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\Aflytter2.exe | Code function: 0_2_004F0FC5 cpuid |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.