Source: 00000000.00000002.1188260352.0000000002180000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlo_"} |
Source: REVGKXx6Ns.exe |
Virustotal: Detection: 62% |
Perma Link |
Source: REVGKXx6Ns.exe |
Metadefender: Detection: 34% |
Perma Link |
Source: REVGKXx6Ns.exe |
ReversingLabs: Detection: 71% |
Source: REVGKXx6Ns.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=downlo_ |
Source: REVGKXx6Ns.exe |
String found in binary or memory: http://topqualityfreeware.com |
Source: REVGKXx6Ns.exe |
String found in binary or memory: http://www.topqualityfreeware.com/ |
Source: REVGKXx6Ns.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: REVGKXx6Ns.exe, 00000000.00000002.1187905826.0000000000426000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameObumbration1.exe vs REVGKXx6Ns.exe |
Source: REVGKXx6Ns.exe |
Binary or memory string: OriginalFilenameObumbration1.exe vs REVGKXx6Ns.exe |
Source: REVGKXx6Ns.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: REVGKXx6Ns.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_004090A6 |
0_2_004090A6 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02196B59 |
0_2_02196B59 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218E22D |
0_2_0218E22D |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02189E78 |
0_2_02189E78 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_021892A8 |
0_2_021892A8 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02189AAB |
0_2_02189AAB |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218AED8 |
0_2_0218AED8 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218AADB |
0_2_0218AADB |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02194AF5 |
0_2_02194AF5 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02189314 |
0_2_02189314 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02180B33 |
0_2_02180B33 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218A320 |
0_2_0218A320 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218A75D |
0_2_0218A75D |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218A364 |
0_2_0218A364 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02189FAC |
0_2_02189FAC |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02189BD3 |
0_2_02189BD3 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02189836 |
0_2_02189836 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218AC2E |
0_2_0218AC2E |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02189858 |
0_2_02189858 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218B044 |
0_2_0218B044 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218A878 |
0_2_0218A878 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218D4B3 |
0_2_0218D4B3 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218A4CC |
0_2_0218A4CC |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218A0EF |
0_2_0218A0EF |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02192D07 |
0_2_02192D07 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02189950 |
0_2_02189950 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02189D50 |
0_2_02189D50 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218AD6F |
0_2_0218AD6F |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218B186 |
0_2_0218B186 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218A9B7 |
0_2_0218A9B7 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Process Stats: CPU usage > 98% |
Source: REVGKXx6Ns.exe |
Virustotal: Detection: 62% |
Source: REVGKXx6Ns.exe |
Metadefender: Detection: 34% |
Source: REVGKXx6Ns.exe |
ReversingLabs: Detection: 71% |
Source: REVGKXx6Ns.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF6497174BCC55AD21.TMP |
Jump to behavior |
Source: classification engine |
Classification label: mal76.troj.evad.winEXE@1/1@0/0 |
Source: Yara match |
File source: 00000000.00000002.1188260352.0000000002180000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_00404401 pushfd ; retf |
0_2_0040441E |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_00403826 push es; ret |
0_2_00403828 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_004044E5 pushfd ; retf |
0_2_004044E6 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_00404584 pushfd ; retf |
0_2_00404596 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_00404599 pushfd ; retf |
0_2_004045AA |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_004051BE push dword ptr [esi]; iretd |
0_2_004051C5 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0040665D pushfd ; retf |
0_2_0040665E |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_00404279 pushfd ; retf |
0_2_0040427A |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_004062C1 pushfd ; retf |
0_2_004062C2 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_004072E1 pushfd ; retf |
0_2_0040730E |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_004096FC push eax; iretd |
0_2_004096FF |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_00404349 pushfd ; retf |
0_2_0040434A |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_00404335 pushfd ; retf |
0_2_00404346 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0040633D pushfd ; retf |
0_2_0040634A |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_004067DE pushfd ; retf |
0_2_004067E6 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0040A784 push 18165C0Eh; iretd |
0_2_0040A789 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218423B push 81528D88h; ret |
0_2_02184240 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02182644 push ss; retf |
0_2_02182645 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02186E73 push E8000002h; retf |
0_2_02186E78 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02185ECB push edi; ret |
0_2_02185EC2 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02180EF4 push eax; retf |
0_2_02180F07 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02185C22 push edi; ret |
0_2_02185EC2 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02181447 push ds; ret |
0_2_02181449 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_021848A7 pushfd ; ret |
0_2_02184A0D |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218191A push ebx; retf |
0_2_02181920 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218491D pushfd ; ret |
0_2_02184A0D |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02184924 pushfd ; ret |
0_2_02184A0D |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02185DDC push edi; ret |
0_2_02185EC2 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02185DC1 push edi; ret |
0_2_02185EC2 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218CAA8 rdtsc |
0_2_0218CAA8 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218C664 mov eax, dword ptr fs:[00000030h] |
0_2_0218C664 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_021932C9 mov eax, dword ptr fs:[00000030h] |
0_2_021932C9 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02188730 mov eax, dword ptr fs:[00000030h] |
0_2_02188730 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0219286B mov eax, dword ptr fs:[00000030h] |
0_2_0219286B |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_0218CAA8 rdtsc |
0_2_0218CAA8 |
Source: C:\Users\user\Desktop\REVGKXx6Ns.exe |
Code function: 0_2_02196B59 RtlAddVectoredExceptionHandler, |
0_2_02196B59 |
Source: REVGKXx6Ns.exe, 00000000.00000002.1188147366.0000000000CD0000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: REVGKXx6Ns.exe, 00000000.00000002.1188147366.0000000000CD0000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: REVGKXx6Ns.exe, 00000000.00000002.1188147366.0000000000CD0000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: REVGKXx6Ns.exe, 00000000.00000002.1188147366.0000000000CD0000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |