Source: sVNHE4jjOw.exe |
Virustotal: Detection: 34% |
Perma Link |
Source: sVNHE4jjOw.exe |
ReversingLabs: Detection: 23% |
Source: sVNHE4jjOw.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: |
Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Dragt1.pdb source: sVNHE4jjOw.exe |
Source: |
Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Dragt1.pdb@ source: sVNHE4jjOw.exe |
Source: sVNHE4jjOw.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: sVNHE4jjOw.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: sVNHE4jjOw.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: sVNHE4jjOw.exe |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: sVNHE4jjOw.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: sVNHE4jjOw.exe |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: sVNHE4jjOw.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: sVNHE4jjOw.exe |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: sVNHE4jjOw.exe |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: sVNHE4jjOw.exe |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: sVNHE4jjOw.exe, 00000000.00000002.748037096.000000000081A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_0080561F NtAllocateVirtualMemory, |
0_2_0080561F |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00805608 NtAllocateVirtualMemory, |
0_2_00805608 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00805761 NtAllocateVirtualMemory, |
0_2_00805761 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00401470 |
0_2_00401470 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_0080561F |
0_2_0080561F |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_008080B4 |
0_2_008080B4 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00805985 |
0_2_00805985 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_008022A2 |
0_2_008022A2 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00805AB8 |
0_2_00805AB8 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00805AE6 |
0_2_00805AE6 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00805A62 |
0_2_00805A62 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00805608 |
0_2_00805608 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00808F74 |
0_2_00808F74 |
Source: sVNHE4jjOw.exe |
Static PE information: invalid certificate |
Source: sVNHE4jjOw.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: sVNHE4jjOw.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: sVNHE4jjOw.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: sVNHE4jjOw.exe, 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameDragt1.exe vs sVNHE4jjOw.exe |
Source: sVNHE4jjOw.exe |
Binary or memory string: OriginalFilenameDragt1.exe vs sVNHE4jjOw.exe |
Source: sVNHE4jjOw.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal64.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFB3D8909A7274E24A.TMP |
Jump to behavior |
Source: sVNHE4jjOw.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: sVNHE4jjOw.exe |
Virustotal: Detection: 34% |
Source: sVNHE4jjOw.exe |
ReversingLabs: Detection: 23% |
Source: sVNHE4jjOw.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Dragt1.pdb source: sVNHE4jjOw.exe |
Source: |
Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Dragt1.pdb@ source: sVNHE4jjOw.exe |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00404960 push es; ret |
0_2_00404965 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00611774 push edx; ret |
0_2_006117A1 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00613063 push edx; ret |
0_2_00613091 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00611863 push edx; ret |
0_2_00611891 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00614863 push edx; ret |
0_2_00614891 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00616065 push edx; ret |
0_2_00616091 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00610068 push edx; ret |
0_2_00610091 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00616875 push edx; ret |
0_2_006168A1 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00612074 push edx; ret |
0_2_006120A1 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00613874 push edx; ret |
0_2_006138A1 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00615074 push edx; ret |
0_2_006150A1 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00610878 push edx; ret |
0_2_006108A1 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00610843 push edx; ret |
0_2_00610871 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00612043 push edx; ret |
0_2_00612071 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00613843 push edx; ret |
0_2_00613871 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00615043 push edx; ret |
0_2_00615071 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00616844 push edx; ret |
0_2_00616871 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00611054 push edx; ret |
0_2_00611081 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00612854 push edx; ret |
0_2_00612881 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00614054 push edx; ret |
0_2_00614081 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00615854 push edx; ret |
0_2_00615881 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00617054 push edx; ret |
0_2_00617081 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00611023 push edx; ret |
0_2_00611051 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00612823 push edx; ret |
0_2_00612851 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00614023 push edx; ret |
0_2_00614051 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00615825 push edx; ret |
0_2_00615851 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00617024 push edx; ret |
0_2_00617051 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00614833 push edx; ret |
0_2_00614861 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00613033 push edx; ret |
0_2_00613061 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00611833 push edx; ret |
0_2_00611861 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00616034 push edx; ret |
0_2_00616061 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_008080B4 |
0_2_008080B4 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00805A62 |
0_2_00805A62 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
RDTSC instruction interceptor: First address: 0000000000807129 second address: 0000000000807129 instructions: |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
RDTSC instruction interceptor: First address: 0000000000807129 second address: 0000000000807129 instructions: |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
RDTSC instruction interceptor: First address: 00000000008092E8 second address: 00000000008092E8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp edx, dword ptr [ebp+44h] 0x0000000e jne 00007F282C8B58F9h 0x00000010 sub edx, 04h 0x00000013 xor dword ptr [edx], ecx 0x00000015 pushad 0x00000016 lfence 0x00000019 rdtsc |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_008080B4 rdtsc |
0_2_008080B4 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_008080B4 rdtsc |
0_2_008080B4 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_008080B4 mov eax, dword ptr fs:[00000030h] |
0_2_008080B4 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_0080527E mov eax, dword ptr fs:[00000030h] |
0_2_0080527E |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_008074A3 mov eax, dword ptr fs:[00000030h] |
0_2_008074A3 |
Source: C:\Users\user\Desktop\sVNHE4jjOw.exe |
Code function: 0_2_00806F30 mov eax, dword ptr fs:[00000030h] |
0_2_00806F30 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: sVNHE4jjOw.exe, 00000000.00000002.748249870.0000000000EA0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: sVNHE4jjOw.exe, 00000000.00000002.748249870.0000000000EA0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: sVNHE4jjOw.exe, 00000000.00000002.748249870.0000000000EA0000.00000002.00000001.sdmp |
Binary or memory string: SProgram Managerl |
Source: sVNHE4jjOw.exe, 00000000.00000002.748249870.0000000000EA0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: sVNHE4jjOw.exe, 00000000.00000002.748249870.0000000000EA0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |