Analysis Report Lista produkt#U00f3w.exe

Overview

General Information

Sample Name:	Lista produkt#U00f3w.exe
Analysis ID:	411100
MD5:	c7f305d2e4f5e91e8118ac32ec796b0c
SHA1:	c477a3d238b96c2a58e77bb7c818775e23f7d656
SHA256:	0d28b94959edb70309a2754a83f2c9230b3176618ab571995d81955751ca2dbe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: Lista produkt#U00f3w.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=17FenSUBd1a7PqzhRX-elu4bxZvs0LF9Y"}

Multi AV Scanner detection for submitted file

Source: Lista produkt#U00f3w.exe	Virustotal: Detection: 34%			Perma Link
Source: Lista produkt#U00f3w.exe	ReversingLabs: Detection: 17%

Compliance:

Uses 32bit PE files

Source: Lista produkt#U00f3w.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=17FenSUBd1a7PqzhRX-elu4bxZvs0LF9Y

Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D733E1 NtProtectVirtualMemory,		0_2_01D733E1
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D71B3F NtAllocateVirtualMemory,		0_2_01D71B3F

Detected potential crypto function

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00407206	0_2_00407206
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00407246	0_2_00407246
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_0040176F	0_2_0040176F
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00401580	0_2_00401580
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_004017BC	0_2_004017BC

Sample file is different than original file name gathered from version info

Source: Lista produkt#U00f3w.exe, 00000000.00000000.2086108427.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFarveskrmene.exe vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3167446836.0000000001E58000.00000004.00000040.sdmp	Binary or memory string: OriginalFilenameFarveskrmene.exeFE2X vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewersvcj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewbengine.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepuiapi.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWfsR.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewmplayer.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsfltr32.acm.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameaudiosrv.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamebatt.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMDMINST.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWCNCSVC.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamePOWRPROF.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAUTOPLAY.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamedmdskres.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamegpscript.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesdcpl.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesrchadmin.dll.mui@ vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWPDSp.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameVfWWDM32.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameUsbui.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameERCj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamecscsvc.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameehRecvr.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamessdpsrv.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXE.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenetcfgx.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsfeedsbs.dll.muiD vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameunregmp2.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWUDFSvc.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWPCCPL.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameTrustedInstaller.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameUxTheme.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenetprof.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamebattc.sys.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewevtsvc.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameappmgmts.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesti_ci.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamefaultrep.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewdc.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameqwavedrv.sys.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewucltux.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameunpnhost.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameappinfo.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemidimap.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemmcndmgr.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAccessibilityCpl.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMSRATING.DLL.MUID vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameoleres.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewmploc.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameACCTRES.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameOLEACCRC.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameIPBusEnum.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamerstrui.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameieinstal.exe.muiD vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewmisvc.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSRVSVC.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamedeskadp.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamePowerCPL.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsadp32.acm.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSRV.SYS.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameiccvid.drv.muiN vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamegpapi.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamebluetooth.cpl.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewpd_ci.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameINETRES.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMFC42.DLL.MUIR vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSWPRV.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamePhotoScreensaver.scr.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameATL.DLL.MUIR vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemmcbase.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamelhdfrgui.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamePDH.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWMPNSSCI.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamescsiport.sys.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAVIFIL32.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemmci.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenametermsrv.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameBubblesj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameIE4UINIT.EXE.MUID vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameiedkcs32.dll.muiD vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWinMail.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewevtutil.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameTBSSVC.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameulib.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamei8042prt.sys.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemycomput.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameparport.sys.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamedsound.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamefwcfg.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameqwave.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameumrdp.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameehres.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWMPSideShowGadgetj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameonex.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsvfw32.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamethumbcache.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamelocalsec.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameUI0Detect.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWLANGPUI.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMSV1_0.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamehotplug.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSTI.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemmcss.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewuaueng.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameOLE32.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamew32time.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameslui.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameUSERCPL.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenametaskschd.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWMDM.dll.muiZ vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamebthci.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMSHTMLER.DLL.MUID vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenapdsnap.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameREGSVC.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesbdropj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamebrserid.sys.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamecomdlg32.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSXS.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamedps.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWMPNSCFG.EXE.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesdclt.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWEBCHECK.DLL.MUID vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAuxiliaryDisplayCpl.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMBLCTR.EXE.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameEFSADU.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWPDMTPDR.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkItemFactory.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMSCTF.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameaudiodev.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameaelupsvc.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamejscript.dll.muiH vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamegpedit.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMSOERES.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3167374879.00000000004A0000.00000008.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe	Binary or memory string: OriginalFilenameFarveskrmene.exe vs Lista produkt#U00f3w.exe

Uses 32bit PE files

Source: Lista produkt#U00f3w.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9757055F2834F01E.TMP

Jump to behavior

Source: Lista produkt#U00f3w.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Lista produkt#U00f3w.exe	Virustotal: Detection: 34%
Source: Lista produkt#U00f3w.exe	ReversingLabs: Detection: 17%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.3167430661.0000000001D70000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00406613 push edx; ret	0_2_00406614
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00405A15 push esp; ret	0_2_00405A20
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00405889 push eax; ret	0_2_0040588C
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_0040576B push edi; retf	0_2_004057A0
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00404B1B push esp; retn 0000h	0_2_00404B1D
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_0040459E pushfd ; ret	0_2_004045A0
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D71B3F pushfd ; iretd	0_2_01D71CAC
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D71CA1 pushfd ; iretd	0_2_01D71CAC

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D70D16	0_2_01D70D16
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D70511	0_2_01D70511
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D71301	0_2_01D71301
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D70C5E	0_2_01D70C5E

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

RDTSC instruction interceptor: First address: 0000000001D71972 second address: 0000000001D71972 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F23ACD81D8Ah 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 cmp bx, ax 0x00000023 dec ecx 0x00000024 cmp dh, ah 0x00000026 cmp ecx, 00000000h 0x00000029 jne 00007F23ACD81D6Ah 0x0000002b push ecx 0x0000002c cmp bl, al 0x0000002e cmp bl, cl 0x00000030 call 00007F23ACD81D9Fh 0x00000035 call 00007F23ACD81D9Ah 0x0000003a lfence 0x0000003d mov edx, dword ptr [7FFE0014h] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Code function: 0_2_01D707C4 rdtsc

0_2_01D707C4

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Code function: 0_2_01D707C4 rdtsc

0_2_01D707C4

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D72B82 mov eax, dword ptr fs:[00000030h]	0_2_01D72B82
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D72D69 mov eax, dword ptr fs:[00000030h]	0_2_01D72D69
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D70D16 mov eax, dword ptr fs:[00000030h]	0_2_01D70D16
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D7111A mov eax, dword ptr fs:[00000030h]	0_2_01D7111A
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D718E2 mov eax, dword ptr fs:[00000030h]	0_2_01D718E2
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D730ED mov eax, dword ptr fs:[00000030h]	0_2_01D730ED

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Lista produkt#U00f3w.exe, 00000000.00000002.3167403263.00000000008E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3167403263.00000000008E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3167403263.00000000008E0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Code function: 0_2_01D71B3F cpuid

0_2_01D71B3F

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Found malware configuration

Source: Lista produkt#U00f3w.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=17FenSUBd1a7PqzhRX-elu4bxZvs0LF9Y"}

Multi AV Scanner detection for submitted file

Source: Lista produkt#U00f3w.exe	Virustotal: Detection: 34%			Perma Link
Source: Lista produkt#U00f3w.exe	ReversingLabs: Detection: 17%

Compliance:

Uses 32bit PE files

Source: Lista produkt#U00f3w.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=17FenSUBd1a7PqzhRX-elu4bxZvs0LF9Y

Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D733E1 NtProtectVirtualMemory,		0_2_01D733E1
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D71B3F NtAllocateVirtualMemory,		0_2_01D71B3F

Detected potential crypto function

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00407206	0_2_00407206
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00407246	0_2_00407246
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_0040176F	0_2_0040176F
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00401580	0_2_00401580
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_004017BC	0_2_004017BC

Sample file is different than original file name gathered from version info

Source: Lista produkt#U00f3w.exe, 00000000.00000000.2086108427.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFarveskrmene.exe vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3167446836.0000000001E58000.00000004.00000040.sdmp	Binary or memory string: OriginalFilenameFarveskrmene.exeFE2X vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewersvcj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewbengine.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepuiapi.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWfsR.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewmplayer.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsfltr32.acm.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameaudiosrv.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamebatt.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMDMINST.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWCNCSVC.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamePOWRPROF.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAUTOPLAY.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamedmdskres.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamegpscript.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesdcpl.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesrchadmin.dll.mui@ vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWPDSp.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameVfWWDM32.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameUsbui.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameERCj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamecscsvc.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameehRecvr.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamessdpsrv.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXE.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenetcfgx.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsfeedsbs.dll.muiD vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameunregmp2.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWUDFSvc.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWPCCPL.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameTrustedInstaller.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameUxTheme.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenetprof.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamebattc.sys.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewevtsvc.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameappmgmts.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesti_ci.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamefaultrep.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewdc.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameqwavedrv.sys.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewucltux.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameunpnhost.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameappinfo.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemidimap.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemmcndmgr.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAccessibilityCpl.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMSRATING.DLL.MUID vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameoleres.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewmploc.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameACCTRES.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameOLEACCRC.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameIPBusEnum.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamerstrui.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameieinstal.exe.muiD vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewmisvc.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSRVSVC.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamedeskadp.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamePowerCPL.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsadp32.acm.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSRV.SYS.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameiccvid.drv.muiN vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamegpapi.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamebluetooth.cpl.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewpd_ci.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameINETRES.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMFC42.DLL.MUIR vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSWPRV.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamePhotoScreensaver.scr.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameATL.DLL.MUIR vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemmcbase.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamelhdfrgui.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamePDH.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWMPNSSCI.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamescsiport.sys.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAVIFIL32.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemmci.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenametermsrv.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameBubblesj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameIE4UINIT.EXE.MUID vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameiedkcs32.dll.muiD vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWinMail.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewevtutil.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameTBSSVC.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameulib.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamei8042prt.sys.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemycomput.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameparport.sys.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamedsound.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamefwcfg.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameqwave.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168905603.0000000003647000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameumrdp.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameehres.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWMPSideShowGadgetj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameonex.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsvfw32.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamethumbcache.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamelocalsec.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameUI0Detect.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWLANGPUI.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMSV1_0.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamehotplug.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSTI.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemmcss.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewuaueng.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameOLE32.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamew32time.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameslui.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameUSERCPL.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenametaskschd.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWMDM.dll.muiZ vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamebthci.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMSHTMLER.DLL.MUID vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenapdsnap.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameREGSVC.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesbdropj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamebrserid.sys.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamecomdlg32.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSXS.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamedps.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWMPNSCFG.EXE.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamesdclt.exe.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWEBCHECK.DLL.MUID vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameAuxiliaryDisplayCpl.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMBLCTR.EXE.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameEFSADU.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWPDMTPDR.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkItemFactory.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMSCTF.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameaudiodev.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameaelupsvc.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamejscript.dll.muiH vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamegpedit.dll.muij% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameMSOERES.DLL.MUIj% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3167374879.00000000004A0000.00000008.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe	Binary or memory string: OriginalFilenameFarveskrmene.exe vs Lista produkt#U00f3w.exe

Uses 32bit PE files

Source: Lista produkt#U00f3w.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Lista produkt#U00f3w.exe, 00000000.00000002.3168785172.0000000003460000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9757055F2834F01E.TMP

Jump to behavior

Source: Lista produkt#U00f3w.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Lista produkt#U00f3w.exe	Virustotal: Detection: 34%
Source: Lista produkt#U00f3w.exe	ReversingLabs: Detection: 17%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.3167430661.0000000001D70000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00406613 push edx; ret	0_2_00406614
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00405A15 push esp; ret	0_2_00405A20
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00405889 push eax; ret	0_2_0040588C
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_0040576B push edi; retf	0_2_004057A0
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00404B1B push esp; retn 0000h	0_2_00404B1D
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_0040459E pushfd ; ret	0_2_004045A0
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D71B3F pushfd ; iretd	0_2_01D71CAC
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D71CA1 pushfd ; iretd	0_2_01D71CAC

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D70D16	0_2_01D70D16
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D70511	0_2_01D70511
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D71301	0_2_01D71301
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D70C5E	0_2_01D70C5E

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Code function: 0_2_01D707C4 rdtsc

0_2_01D707C4

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Code function: 0_2_01D707C4 rdtsc

0_2_01D707C4

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D72B82 mov eax, dword ptr fs:[00000030h]	0_2_01D72B82
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D72D69 mov eax, dword ptr fs:[00000030h]	0_2_01D72D69
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D70D16 mov eax, dword ptr fs:[00000030h]	0_2_01D70D16
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D7111A mov eax, dword ptr fs:[00000030h]	0_2_01D7111A
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D718E2 mov eax, dword ptr fs:[00000030h]	0_2_01D718E2
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_01D730ED mov eax, dword ptr fs:[00000030h]	0_2_01D730ED

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Lista produkt#U00f3w.exe, 00000000.00000002.3167403263.00000000008E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3167403263.00000000008E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Lista produkt#U00f3w.exe, 00000000.00000002.3167403263.00000000008E0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Code function: 0_2_01D71B3F cpuid

0_2_01D71B3F

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	411100
Product:	CloudBasic
Start time:	16:11:34
Start date:	11.05.2021
Sample:	Lista produkt#U00f3w.exe
Cookbook:	default.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	c7f305d2e4f5e91e8118ac32ec796b0c
SHA1:	c477a3d238b96c2a58e77bb7c818775e23f7d656
SHA256:	0d28b94959edb70309a2754a83f2c9230b3176618ab571995d81955751ca2dbe
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report Lista produkt#U00f3w.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map