Source: Remodeller8.exe |
Virustotal: Detection: 52% |
Perma Link |
Source: Remodeller8.exe |
ReversingLabs: Detection: 56% |
Source: Remodeller8.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Remodeller8.exe, 00000001.00000002.848068433.00000000006CA000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Users\user\Desktop\Remodeller8.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Remodeller8.exe |
Code function: 1_2_0040905F |
1_2_0040905F |
Source: C:\Users\user\Desktop\Remodeller8.exe |
Code function: 1_2_004090A7 |
1_2_004090A7 |
Source: Remodeller8.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Remodeller8.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Remodeller8.exe, 00000001.00000002.848261257.0000000002370000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs Remodeller8.exe |
Source: Remodeller8.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal72.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\Remodeller8.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFB617D45F1B8ED128.TMP |
Jump to behavior |
Source: Remodeller8.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Remodeller8.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Remodeller8.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Remodeller8.exe |
Virustotal: Detection: 52% |
Source: Remodeller8.exe |
ReversingLabs: Detection: 56% |
Source: Yara match |
File source: 00000001.00000002.847967336.0000000000530000.00000040.00000001.sdmp, type: MEMORY |
Source: Remodeller8.exe |
Static PE information: real checksum: 0x1ec6a should be: 0x2826d |
Source: C:\Users\user\Desktop\Remodeller8.exe |
Code function: 1_2_0040201B pushfd ; ret |
1_2_00402054 |
Source: C:\Users\user\Desktop\Remodeller8.exe |
Code function: 1_2_004040CB pushfd ; retf |
1_2_004040CD |
Source: C:\Users\user\Desktop\Remodeller8.exe |
Code function: 1_2_00408083 push ebx; ret |
1_2_00408084 |
Source: C:\Users\user\Desktop\Remodeller8.exe |
Code function: 1_2_00405086 push ds; retf |
1_2_0040508F |
Source: C:\Users\user\Desktop\Remodeller8.exe |
Code function: 1_2_00403168 pushfd ; retf |
1_2_00403169 |
Source: C:\Users\user\Desktop\Remodeller8.exe |
Code function: 1_2_00403E66 pushfd ; ret |
1_2_00403E6C |
Source: C:\Users\user\Desktop\Remodeller8.exe |
Code function: 1_2_0040BB37 push 7600FFCEh; iretd |
1_2_0040BB3C |
Source: C:\Users\user\Desktop\Remodeller8.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Remodeller8.exe |
RDTSC instruction interceptor: First address: 00000000005362CD second address: 00000000005362CD instructions: |
Source: C:\Users\user\Desktop\Remodeller8.exe |
RDTSC instruction interceptor: First address: 000000000040926C second address: 000000000040926C instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 31h 0x00000005 packsswb mm5, mm1 0x00000008 pcmpgtw xmm2, xmm3 0x0000000c psrlq xmm1, 0Fh 0x00000011 packssdw mm2, mm4 0x00000014 pxor mm1, mm4 0x00000017 fcomp st(0), st(2) 0x00000019 jmp 00007F09007A6E5Ch 0x0000001b cmp eax, 20h 0x0000001e cmp eax, 000000FBh 0x00000023 cmp ebx, 00000090h 0x00000029 cmp ebx, 000000C3h 0x0000002f cmp ebx, 000000A1h 0x00000035 cmp ebx, 00000090h 0x0000003b cmp ebx, 52h 0x0000003e cmp edi, 02EAFF40h 0x00000044 psrad xmm7, xmm6 0x00000048 paddb xmm5, xmm0 0x0000004c fsqrt 0x0000004e pause 0x00000050 fsubp st(6), st(0) 0x00000052 fld1 0x00000054 jmp 00007F09007A6E5Dh 0x00000056 movd mm1, ebx 0x00000059 movd mm1, ebx 0x0000005c movd mm1, ebx 0x0000005f movd mm1, ebx 0x00000062 jne 00007F09007A6C4Dh 0x00000068 inc edi 0x00000069 cmp ebx, 000000ACh 0x0000006f cmp ebx, 40h 0x00000072 cmp ebx, 4Eh 0x00000075 cmp ebx, 26h 0x00000078 xchg esi, esi 0x0000007a fpatan 0x0000007c punpckhbw mm7, mm3 0x0000007f movd xmm3, ebx 0x00000083 wait 0x00000084 wait 0x00000085 pcmpeqd xmm3, xmm0 0x00000089 jmp 00007F09007A6E5Dh 0x0000008b cmp ebx, 000000E7h 0x00000091 cmp eax, 000000D5h 0x00000096 cmp eax, 000000F4h 0x0000009b cmp eax, 3Bh 0x0000009e cmp eax, 000000ACh 0x000000a3 cmp ebx, 000000B2h 0x000000a9 rdtsc |
Source: C:\Users\user\Desktop\Remodeller8.exe |
RDTSC instruction interceptor: First address: 00000000005362CD second address: 00000000005362CD instructions: |
Source: C:\Users\user\Desktop\Remodeller8.exe |
RDTSC instruction interceptor: First address: 0000000000533353 second address: 0000000000533353 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0900793425h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test cl, 00000017h 0x00000020 pop ecx 0x00000021 jmp 00007F090079341Ah 0x00000023 cmp bx, 41F8h 0x00000028 cmp eax, ecx 0x0000002a add edi, edx 0x0000002c dec ecx 0x0000002d cmp ecx, 00000000h 0x00000030 jne 00007F09007933C7h 0x00000032 test dx, dx 0x00000035 test ah, dh 0x00000037 push ecx 0x00000038 cld 0x00000039 test ah, ah 0x0000003b call 00007F0900793462h 0x00000040 call 00007F0900793435h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc |
Source: C:\Users\user\Desktop\Remodeller8.exe |
Code function: 1_2_0040905F rdtsc |
1_2_0040905F |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\Remodeller8.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\Remodeller8.exe |
Code function: 1_2_0040905F rdtsc |
1_2_0040905F |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Remodeller8.exe, 00000001.00000002.848153018.0000000000E50000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: Remodeller8.exe, 00000001.00000002.848153018.0000000000E50000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: Remodeller8.exe, 00000001.00000002.848153018.0000000000E50000.00000002.00000001.sdmp |
Binary or memory string: &Program Manager |
Source: Remodeller8.exe, 00000001.00000002.848153018.0000000000E50000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |