Source: 00000000.00000002.868117942.0000000002420000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1_XiRU-Ribfen&"} |
Source: PO#578946.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_024268DE NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_024268DE |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02424A49 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_0242A250 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02424625 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02424633 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02426236 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02425234 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02423E3A |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_024232CA |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02422ED7 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02424AF4 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02429E9A |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02424EB4 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02428764 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02429F6E |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02422F7C |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02424F17 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02424723 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02424F28 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_024217CC |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02424FE4 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_024233FF |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02422B82 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02421785 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_0242538A |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02424B8B |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02424790 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02422BB8 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02422C53 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_0242A060 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02428400 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_024248CE |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02424C8D |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_0242A499 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02422CB1 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_0242414E |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02424D60 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_0242316F |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02429D6D |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02425118 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02423534 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02423DC1 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_0242A1E2 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02422DE0 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_024245FC |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_0242318A |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02424190 |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02429DA0 |
Source: PO#578946.exe, 00000000.00000000.335853401.0000000000418000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameUnderno3.exe vs PO#578946.exe |
Source: PO#578946.exe, 00000000.00000002.868019534.00000000022D0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameuser32j% vs PO#578946.exe |
Source: PO#578946.exe | Binary or memory string: OriginalFilenameUnderno3.exe vs PO#578946.exe |
Source: PO#578946.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\PO#578946.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_00408EF8 pushad ; ret |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_0040953E push eax; iretd |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02426E62 pushad ; retf |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02420AF1 push esp; retf |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02420B18 push esp; retf |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02426F1E pushad ; retf |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02427BF7 push esp; ret |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_0242784E pushad ; retf |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02427866 pushad ; retf |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02426DC4 pushad ; retf |
Source: C:\Users\user\Desktop\PO#578946.exe | RDTSC instruction interceptor: First address: 000000000242034B second address: 000000000242034B instructions: |
Source: C:\Users\user\Desktop\PO#578946.exe | RDTSC instruction interceptor: First address: 000000000242034B second address: 000000000242034B instructions: |
Source: C:\Users\user\Desktop\PO#578946.exe | RDTSC instruction interceptor: First address: 0000000002426191 second address: 0000000002426191 instructions: 0x00000000 rdtsc 0x00000002 mov eax, CFC9D9CCh 0x00000007 xor eax, E7B8D616h 0x0000000c xor eax, B003C39Fh 0x00000011 xor eax, 9872CC44h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FEE848CB84Ah 0x0000001e lfence 0x00000021 mov edx, 324626BAh 0x00000026 xor edx, 8E47B5F1h 0x0000002c xor edx, CD58843Fh 0x00000032 xor edx, 0EA71760h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 cmp cx, dx 0x00000045 add edi, edx 0x00000047 dec ecx 0x00000048 mov dword ptr [ebp+000001B1h], ecx 0x0000004e mov ecx, 1C5A7D24h 0x00000053 xor ecx, 8E853080h 0x00000059 cmp cx, cx 0x0000005c xor ecx, 6F6EDF25h 0x00000062 test ax, dx 0x00000065 sub ecx, FDB19281h 0x0000006b cmp dword ptr [ebp+000001B1h], ecx 0x00000071 mov ecx, dword ptr [ebp+000001B1h] 0x00000077 jne 00007FEE848CB7F4h 0x00000079 cmp edx, eax 0x0000007b mov dword ptr [ebp+00000221h], eax 0x00000081 mov eax, ecx 0x00000083 push eax 0x00000084 mov eax, dword ptr [ebp+00000221h] 0x0000008a call 00007FEE848CB910h 0x0000008f call 00007FEE848CB86Bh 0x00000094 lfence 0x00000097 mov edx, 324626BAh 0x0000009c xor edx, 8E47B5F1h 0x000000a2 xor edx, CD58843Fh 0x000000a8 xor edx, 0EA71760h 0x000000ae mov edx, dword ptr [edx] 0x000000b0 lfence 0x000000b3 ret 0x000000b4 mov esi, edx 0x000000b6 pushad 0x000000b7 rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02425FBD mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02428C43 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_0242914F mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_0242316F mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02429D6D mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\PO#578946.exe | Code function: 0_2_02423DC1 mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: PO#578946.exe, 00000000.00000002.867875316.0000000000DA0000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: PO#578946.exe, 00000000.00000002.867875316.0000000000DA0000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: PO#578946.exe, 00000000.00000002.867875316.0000000000DA0000.00000002.00000001.sdmp | Binary or memory string: &Program Manager |
Source: PO#578946.exe, 00000000.00000002.867875316.0000000000DA0000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.