Source: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUu"} |
Source: Yara match |
File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR |
Source: kGSHiWbgq9.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: http://101.99.94.119/WEALTH_PRUu |
Source: global traffic |
HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: global traffic |
HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache |
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp |
String found in binary or memory: http://101.99.94.119/WEALTH_PRUuqVZw139.bin |
Source: Yara match |
File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F90E6 NtProtectVirtualMemory, |
1_2_020F90E6 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F2873 NtWriteVirtualMemory,LoadLibraryA, |
1_2_020F2873 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F5968 NtAllocateVirtualMemory, |
1_2_020F5968 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F443A NtWriteVirtualMemory, |
1_2_020F443A |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F5A62 NtWriteVirtualMemory,NtAllocateVirtualMemory, |
1_2_020F5A62 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F7A7A NtWriteVirtualMemory, |
1_2_020F7A7A |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F4B7C NtWriteVirtualMemory, |
1_2_020F4B7C |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F4BC9 NtWriteVirtualMemory, |
1_2_020F4BC9 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F8FBB NtProtectVirtualMemory, |
1_2_020F8FBB |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F4DB6 NtWriteVirtualMemory, |
1_2_020F4DB6 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 11_2_00569C03 LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory, |
11_2_00569C03 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 11_2_00569B39 LdrInitializeThunk,NtProtectVirtualMemory, |
11_2_00569B39 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 11_2_00569C2B LdrInitializeThunk,NtProtectVirtualMemory, |
11_2_00569C2B |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 11_2_00569B22 LdrInitializeThunk,NtProtectVirtualMemory, |
11_2_00569B22 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F5781 |
1_2_020F5781 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F94D8 |
1_2_020F94D8 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F853B |
1_2_020F853B |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F05A1 |
1_2_020F05A1 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F0BDC |
1_2_020F0BDC |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F2873 |
1_2_020F2873 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F5968 |
1_2_020F5968 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F0211 |
1_2_020F0211 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F4339 |
1_2_020F4339 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F40B7 |
1_2_020F40B7 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F0691 |
1_2_020F0691 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F86DB |
1_2_020F86DB |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F86F4 |
1_2_020F86F4 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F443A |
1_2_020F443A |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F95C6 |
1_2_020F95C6 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F85E7 |
1_2_020F85E7 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F5A62 |
1_2_020F5A62 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F7A7A |
1_2_020F7A7A |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F2A77 |
1_2_020F2A77 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F3ACE |
1_2_020F3ACE |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F0B59 |
1_2_020F0B59 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F4B7C |
1_2_020F4B7C |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F4BC9 |
1_2_020F4BC9 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F3BFF |
1_2_020F3BFF |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F8802 |
1_2_020F8802 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F3874 |
1_2_020F3874 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F891F |
1_2_020F891F |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F0921 |
1_2_020F0921 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F398F |
1_2_020F398F |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F7E5C |
1_2_020F7E5C |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F1E99 |
1_2_020F1E99 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F0ED2 |
1_2_020F0ED2 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F2FD3 |
1_2_020F2FD3 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F8C2C |
1_2_020F8C2C |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F3CEF |
1_2_020F3CEF |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F0CFA |
1_2_020F0CFA |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F3CF2 |
1_2_020F3CF2 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F2D3B |
1_2_020F2D3B |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F5D78 |
1_2_020F5D78 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F1DA0 |
1_2_020F1DA0 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F4DB6 |
1_2_020F4DB6 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F0DD5 |
1_2_020F0DD5 |
Source: kGSHiWbgq9.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: kGSHiWbgq9.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: kGSHiWbgq9.exe, 00000001.00000000.646609422.0000000000417000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe |
Source: kGSHiWbgq9.exe, 00000001.00000002.773544375.0000000002090000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs kGSHiWbgq9.exe |
Source: kGSHiWbgq9.exe, 0000000B.00000000.772049826.0000000000417000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe |
Source: kGSHiWbgq9.exe, 0000000B.00000002.1726897873.0000000000860000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamemswsock.dll.muij% vs kGSHiWbgq9.exe |
Source: kGSHiWbgq9.exe |
Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe |
Source: kGSHiWbgq9.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/2 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ |
Source: kGSHiWbgq9.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: unknown |
Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe' |
|
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe' |
|
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Process created: C:\Users\user\Desktop\kGSHiWbgq9.exe 'C:\Users\user\Desktop\kGSHiWbgq9.exe' |
Jump to behavior |
Source: Yara match |
File source: 00000001.00000002.773585208.00000000020F0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_00408873 push esp; ret |
1_2_00408877 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_004088C0 push esp; ret |
1_2_004088CB |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_004014E9 push es; ret |
1_2_004014EA |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_00408CB2 push esi; ret |
1_2_00408CB3 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_0040891C push esi; retf |
1_2_0040892F |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_00407D36 pushad ; iretd |
1_2_00407D3B |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_00408672 push esi; ret |
1_2_00408677 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_00407E22 push ds; iretd |
1_2_00407E27 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_00408624 push esp; ret |
1_2_00408627 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_00408ADE push esi; retf |
1_2_00408ADF |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_00408695 push esi; ret |
1_2_00408677 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F6625 push ebp; iretd |
1_2_020F6637 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 00000000020F0298 second address: 00000000020F0298 instructions: |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 00000000020F7EAD second address: 00000000020F7EAD instructions: |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 00000000020F9858 second address: 00000000020F9858 instructions: |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 00000000020F7C30 second address: 00000000020F7DF9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor ebx, 191FF64Ah 0x00000010 test ax, cx 0x00000013 add ebx, 6B6EB43Bh 0x00000019 cmp edx, ebx 0x0000001b mov ebx, dword ptr [ebp+0000017Bh] 0x00000021 jle 00007FB8B0E6501Bh 0x00000023 call 00007FB8B0E6528Ah 0x00000028 lfence 0x0000002b rdtsc |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 00000000020F0EB2 second address: 00000000020F0F20 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test eax, ecx 0x0000000c push ebx 0x0000000d jmp 00007FB8B03661FFh 0x0000000f call 00007FB8B03661D0h 0x00000014 pop ebx 0x00000015 jmp ebx 0x00000017 pop ebx 0x00000018 mov dword ptr [ebp+00000204h], eax 0x0000001e mov eax, B2FB5E9Eh 0x00000023 xor eax, CC322E20h 0x00000028 xor eax, FC8DB287h 0x0000002d test dx, bx 0x00000030 sub eax, 8244C239h 0x00000035 push eax 0x00000036 mov eax, dword ptr [ebp+00000204h] 0x0000003c mov dword ptr [ebp+0000026Fh], ecx 0x00000042 mov ecx, 556F3EE3h 0x00000047 cmp esi, 3EDD9594h 0x0000004d add ecx, A870EBA2h 0x00000053 pushad 0x00000054 rdtsc |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 00000000020F0F20 second address: 00000000020F0F20 instructions: |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 0000000000561C79 second address: 0000000000561C79 instructions: |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 000000000056322B second address: 000000000056326F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor dword ptr [ebp+14h], AA1EA117h 0x00000011 add dword ptr [ebp+14h], 28368260h 0x00000018 mov dword ptr [ebp+00000277h], esi 0x0000001e mov esi, C4615DA9h 0x00000023 test ebx, 3C315E73h 0x00000029 xor esi, 49D529C1h 0x0000002f xor esi, F48EAD89h 0x00000035 test ch, FFFFFF8Ch 0x00000038 sub esi, 793AD9E1h 0x0000003e pushad 0x0000003f mov ecx, 000000B7h 0x00000044 rdtsc |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 0000000000563DB3 second address: 0000000000563DB3 instructions: |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL |
Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 00000000020F0298 second address: 00000000020F0298 instructions: |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 00000000020F7EAD second address: 00000000020F7EAD instructions: |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 00000000020F9858 second address: 00000000020F9858 instructions: |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 00000000020F7CB5 second address: 00000000020F7CB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8D6257E7h 0x00000007 xor eax, D6E50CE5h 0x0000000c xor eax, CD304DCCh 0x00000011 add eax, 6948E933h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FB8B0E65173h 0x0000001e lfence 0x00000021 mov edx, 617AD252h 0x00000026 xor edx, 84973C64h 0x0000002c xor edx, 903C3D1Eh 0x00000032 xor edx, 0A2FD33Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp edx, 53D52FB7h 0x00000043 cmp ah, ch 0x00000045 test cl, bl 0x00000047 ret 0x00000048 jmp 00007FB8B0E65169h 0x0000004d cmp ch, dh 0x0000004f sub edx, esi 0x00000051 ret 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000061 jne 00007FB8B0E6506Ch 0x00000063 call 00007FB8B0E650C7h 0x00000068 call 00007FB8B0E65194h 0x0000006d lfence 0x00000070 mov edx, 617AD252h 0x00000075 xor edx, 84973C64h 0x0000007b xor edx, 903C3D1Eh 0x00000081 xor edx, 0A2FD33Ch 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c cmp edx, 53D52FB7h 0x00000092 cmp ah, ch 0x00000094 test cl, bl 0x00000096 ret 0x00000097 mov esi, edx 0x00000099 pushad 0x0000009a rdtsc |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 00000000020F7DF9 second address: 00000000020F7DF9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, DDFE68D6h 0x00000013 xor eax, 51E6CF38h 0x00000018 sub eax, D694E780h 0x0000001d xor eax, B583C06Fh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FB8B0366842h 0x0000002e popad 0x0000002f call 00007FB8B03663C1h 0x00000034 lfence 0x00000037 rdtsc |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 00000000020F7C30 second address: 00000000020F7DF9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor ebx, 191FF64Ah 0x00000010 test ax, cx 0x00000013 add ebx, 6B6EB43Bh 0x00000019 cmp edx, ebx 0x0000001b mov ebx, dword ptr [ebp+0000017Bh] 0x00000021 jle 00007FB8B0E6501Bh 0x00000023 call 00007FB8B0E6528Ah 0x00000028 lfence 0x0000002b rdtsc |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 00000000020F0EB2 second address: 00000000020F0F20 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test eax, ecx 0x0000000c push ebx 0x0000000d jmp 00007FB8B03661FFh 0x0000000f call 00007FB8B03661D0h 0x00000014 pop ebx 0x00000015 jmp ebx 0x00000017 pop ebx 0x00000018 mov dword ptr [ebp+00000204h], eax 0x0000001e mov eax, B2FB5E9Eh 0x00000023 xor eax, CC322E20h 0x00000028 xor eax, FC8DB287h 0x0000002d test dx, bx 0x00000030 sub eax, 8244C239h 0x00000035 push eax 0x00000036 mov eax, dword ptr [ebp+00000204h] 0x0000003c mov dword ptr [ebp+0000026Fh], ecx 0x00000042 mov ecx, 556F3EE3h 0x00000047 cmp esi, 3EDD9594h 0x0000004d add ecx, A870EBA2h 0x00000053 pushad 0x00000054 rdtsc |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 00000000020F0F20 second address: 00000000020F0F20 instructions: |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 0000000000567CB5 second address: 0000000000567CB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8D6257E7h 0x00000007 xor eax, D6E50CE5h 0x0000000c xor eax, CD304DCCh 0x00000011 add eax, 6948E933h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FB8B03662D3h 0x0000001e lfence 0x00000021 mov edx, 617AD252h 0x00000026 xor edx, 84973C64h 0x0000002c xor edx, 903C3D1Eh 0x00000032 xor edx, 0A2FD33Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp edx, 53D52FB7h 0x00000043 cmp ah, ch 0x00000045 test cl, bl 0x00000047 ret 0x00000048 jmp 00007FB8B03662C9h 0x0000004d cmp ch, dh 0x0000004f sub edx, esi 0x00000051 ret 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000061 jne 00007FB8B03661CCh 0x00000063 call 00007FB8B0366227h 0x00000068 call 00007FB8B03662F4h 0x0000006d lfence 0x00000070 mov edx, 617AD252h 0x00000075 xor edx, 84973C64h 0x0000007b xor edx, 903C3D1Eh 0x00000081 xor edx, 0A2FD33Ch 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c cmp edx, 53D52FB7h 0x00000092 cmp ah, ch 0x00000094 test cl, bl 0x00000096 ret 0x00000097 mov esi, edx 0x00000099 pushad 0x0000009a rdtsc |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 0000000000567DF9 second address: 0000000000567DF9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, DDFE68D6h 0x00000013 xor eax, 51E6CF38h 0x00000018 sub eax, D694E780h 0x0000001d xor eax, B583C06Fh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FB8B0E656E2h 0x0000002e popad 0x0000002f call 00007FB8B0E65261h 0x00000034 lfence 0x00000037 rdtsc |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 0000000000561C79 second address: 0000000000561C79 instructions: |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 000000000056322B second address: 000000000056326F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor dword ptr [ebp+14h], AA1EA117h 0x00000011 add dword ptr [ebp+14h], 28368260h 0x00000018 mov dword ptr [ebp+00000277h], esi 0x0000001e mov esi, C4615DA9h 0x00000023 test ebx, 3C315E73h 0x00000029 xor esi, 49D529C1h 0x0000002f xor esi, F48EAD89h 0x00000035 test ch, FFFFFF8Ch 0x00000038 sub esi, 793AD9E1h 0x0000003e pushad 0x0000003f mov ecx, 000000B7h 0x00000044 rdtsc |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 000000000056326F second address: 00000000005632FA instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dword ptr [edi+00000814h], esi 0x00000009 mov esi, dword ptr [ebp+00000277h] 0x0000000f je 00007FB8B03663A8h 0x00000015 mov dword ptr [ebp+000001C9h], eax 0x0000001b mov eax, ecx 0x0000001d push eax 0x0000001e mov eax, dword ptr [ebp+000001C9h] 0x00000024 mov esi, dword ptr [edi+00000814h] 0x0000002a mov eax, dword ptr [edi+00000800h] 0x00000030 add eax, esi 0x00000032 add eax, ecx 0x00000034 test dh, dh 0x00000036 mov dword ptr [ebp+000001A6h], eax 0x0000003c mov eax, EC4E9022h 0x00000041 xor eax, 74E0F7A3h 0x00000046 xor eax, 4B60BED9h 0x0000004b sub eax, D3CED944h 0x00000050 cmp bh, 00000033h 0x00000053 push eax 0x00000054 mov eax, dword ptr [ebp+000001A6h] 0x0000005a mov dword ptr [ebp+0000018Fh], edx 0x00000060 mov edx, eax 0x00000062 push edx 0x00000063 mov edx, dword ptr [ebp+0000018Fh] 0x00000069 cmp ah, ch 0x0000006b mov ebx, edi 0x0000006d add ebx, 00000C00h 0x00000073 mov dword ptr [ebp+00000273h], ecx 0x00000079 mov ecx, ebx 0x0000007b cmp dl, al 0x0000007d push ecx 0x0000007e mov ecx, dword ptr [ebp+00000273h] 0x00000084 cmp dh, FFFFFFD7h 0x00000087 pushad 0x00000088 lfence 0x0000008b rdtsc |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
RDTSC instruction interceptor: First address: 0000000000563DB3 second address: 0000000000563DB3 instructions: |
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAWu |
Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll |
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727117740.00000000008BC000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW |
Source: kGSHiWbgq9.exe, 00000001.00000002.773600997.0000000002100000.00000004.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: kGSHiWbgq9.exe, 0000000B.00000002.1726966923.0000000000878000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAWH0 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F853B mov eax, dword ptr fs:[00000030h] |
1_2_020F853B |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F73B4 mov eax, dword ptr fs:[00000030h] |
1_2_020F73B4 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F3441 mov eax, dword ptr fs:[00000030h] |
1_2_020F3441 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F5589 mov eax, dword ptr fs:[00000030h] |
1_2_020F5589 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F3874 mov eax, dword ptr fs:[00000030h] |
1_2_020F3874 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F7898 mov eax, dword ptr fs:[00000030h] |
1_2_020F7898 |
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe |
Code function: 1_2_020F2D3B mov eax, dword ptr fs:[00000030h] |
1_2_020F2D3B |
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp |
Binary or memory string: Program Managerc |
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp |
Binary or memory string: Program Manager |
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727276289.0000000000F00000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727276289.0000000000F00000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: kGSHiWbgq9.exe, 0000000B.00000002.1726966923.0000000000878000.00000004.00000020.sdmp, logs.dat.11.dr |
Binary or memory string: [ Program Manager ] |
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp |
Binary or memory string: Program ManagerAZALZ\z |
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp |
Binary or memory string: Program ManagerAZALZ\q |
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727276289.0000000000F00000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727117740.00000000008BC000.00000004.00000020.sdmp |
Binary or memory string: |Program Manager| |
Source: kGSHiWbgq9.exe, 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp |
Binary or memory string: Program ManagerAZALZ\, |
Source: Yara match |
File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR |
Source: Yara match |
File source: 0000000B.00000002.1727052878.00000000008A4000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: kGSHiWbgq9.exe PID: 6636, type: MEMORYSTR |