Click to jump to signature section
Source: Order_002376662-579588_Date 24082022.exe | Metadefender: Detection: 27% | Perma Link |
Source: Order_002376662-579588_Date 24082022.exe | ReversingLabs: Detection: 65% |
Source: Order_002376662-579588_Date 24082022.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: Order_002376662-579588_Date 24082022.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: | Binary string: D:\SourceCode\GC3.GPUPowerSaving\production_V4.2.12.3\Service\ConfigEditorCS\obj\Release\GPUPowerSavingConfigEditor.pdb source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Code function: 2_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Code function: 2_2_0040639C FindFirstFileA,FindClose, |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Code function: 2_2_004026F8 FindFirstFileA, |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: Order_002376662-579588_Date 24082022.exe | String found in binary or memory: http://crl.certum.pl/ctnca.crl0k |
Source: Order_002376662-579588_Date 24082022.exe | String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l |
Source: Order_002376662-579588_Date 24082022.exe | String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0 |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: http://crl.globalsign.com/root.crl0G |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: Order_002376662-579588_Date 24082022.exe | String found in binary or memory: http://nsis.sf.net/NSIS_Error |
Source: Order_002376662-579588_Date 24082022.exe | String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: http://ocsp.digicert.com0C |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: http://ocsp.digicert.com0O |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: http://ocsp.globalsign.com/rootr103 |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: http://ocsp2.globalsign.com/rootr306 |
Source: Order_002376662-579588_Date 24082022.exe | String found in binary or memory: http://repository.certum.pl/ctnca.cer09 |
Source: Order_002376662-579588_Date 24082022.exe | String found in binary or memory: http://repository.certum.pl/ctnca2.cer09 |
Source: Order_002376662-579588_Date 24082022.exe | String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0 |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0 |
Source: Order_002376662-579588_Date 24082022.exe | String found in binary or memory: http://subca.ocsp-certum.com01 |
Source: Order_002376662-579588_Date 24082022.exe | String found in binary or memory: http://subca.ocsp-certum.com02 |
Source: Order_002376662-579588_Date 24082022.exe | String found in binary or memory: http://subca.ocsp-certum.com05 |
Source: Order_002376662-579588_Date 24082022.exe | String found in binary or memory: http://www.certum.pl/CPS0 |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: http://www.digicert.com/CPS0 |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: https://www.digicert.com/CPS0 |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr | String found in binary or memory: https://www.globalsign.com/repository/0 |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Code function: 2_2_004052FE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, |
Source: Order_002376662-579588_Date 24082022.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: GPUPowerSavingConfigEditor.dll.2.dr | Static PE information: No import functions for PE file found |
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameGPUPowerSavingConfigEditor.dll< vs Order_002376662-579588_Date 24082022.exe |
Source: Order_002376662-579588_Date 24082022.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Order_002376662-579588_Date 24082022.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Code function: 2_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Code function: 2_2_00406725 |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Code function: 2_2_00404B3D |
Source: Order_002376662-579588_Date 24082022.exe | Static PE information: invalid certificate |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Process Stats: CPU usage > 98% |
Source: Order_002376662-579588_Date 24082022.exe | Metadefender: Detection: 27% |
Source: Order_002376662-579588_Date 24082022.exe | ReversingLabs: Detection: 65% |
Source: Order_002376662-579588_Date 24082022.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Code function: 2_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: classification engine | Classification label: mal64.troj.evad.winEXE@1/7@0/0 |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Code function: 2_2_004020CB CoCreateInstance,MultiByteToWideChar, |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Code function: 2_2_004045CA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, |
Source: Order_002376662-579588_Date 24082022.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: | Binary string: D:\SourceCode\GC3.GPUPowerSaving\production_V4.2.12.3\Service\ConfigEditorCS\obj\Release\GPUPowerSavingConfigEditor.pdb source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr |
Source: Yara match | File source: 00000002.00000002.829249266.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Code function: 2_2_10002D20 push eax; ret |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Code function: 2_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | File created: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens | Jump to behavior |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne | Jump to behavior |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Noneffervescently.Cre | Jump to behavior |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes | Jump to behavior |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers | Jump to behavior |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers\Aqua_20.bmp | Jump to behavior |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Forhaanet.Nab | Jump to behavior |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph | Jump to behavior |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy | Jump to behavior |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers | Jump to behavior |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\face-cool.png | Jump to behavior |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne | Jump to behavior |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79 | Jump to behavior |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79\iso_3166-1.json | Jump to behavior |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | RDTSC instruction interceptor: First address: 00000000030C2A2F second address: 00000000030C2A2F instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007EFC0CCA9B97h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test dx, dx 0x0000000b rdtsc |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Code function: 2_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Code function: 2_2_0040639C FindFirstFileA,FindClose, |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Code function: 2_2_004026F8 FindFirstFileA, |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Code function: 2_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, |
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe | Code function: 2_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |