Click to jump to signature section
Source: q3oUuJIXkc.exe | Virustotal: Detection: 15% | Perma Link |
Source: q3oUuJIXkc.exe | ReversingLabs: Detection: 35% |
Source: http://85.209.135.109/jg94cVd30f/index.php?scr=1 | Avira URL Cloud: Label: malware |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | ReversingLabs: Detection: 35% |
Source: 12.2.gntuud.exe.1280000.0.unpack | Malware Configuration Extractor: Amadey {"C2 url": "85.209.135.109/jg94cVd30f/index.php", "Version": "3.50"} |
Source: q3oUuJIXkc.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: q3oUuJIXkc.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: | Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: q3oUuJIXkc.exe, gntuud.exe.0.dr |
Source: C:\Windows\SysWOW64\rundll32.exe | Network Connect: 192.168.2.4 80 |
Source: C:\Windows\SysWOW64\rundll32.exe | Network Connect: 85.209.135.109 80 |
Source: Malware configuration extractor | URLs: 85.209.135.109/jg94cVd30f/index.php |
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.php |
Source: gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.php0 |
Source: gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.php58e5d3 |
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.php?scr=1 |
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpF |
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpR |
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpb |
Source: gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpd3 |
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpj |
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpv |
Source: gntuud.exe, 00000001.00000003.350729543.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://85.209.135.109/jg94cVd30f/index.phpz |
Source: q3oUuJIXkc.exe, gntuud.exe.0.dr, cred64[1].dll.1.dr, cred64.dll.1.dr | String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t |
Source: q3oUuJIXkc.exe, gntuud.exe.0.dr, cred64[1].dll.1.dr, cred64.dll.1.dr | String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0# |
Source: q3oUuJIXkc.exe, gntuud.exe.0.dr, cred64[1].dll.1.dr, cred64.dll.1.dr | String found in binary or memory: http://ocsp.sectigo.com0 |
Source: q3oUuJIXkc.exe, gntuud.exe.0.dr, cred64[1].dll.1.dr, cred64.dll.1.dr | String found in binary or memory: https://sectigo.com/CPS0 |
Source: q3oUuJIXkc.exe, 00000000.00000002.324348201.000000000136A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
Source: q3oUuJIXkc.exe | Static PE information: section name: lB@dO\ih |
Source: q3oUuJIXkc.exe | Static PE information: section name: Fh?jG[OJ |
Source: q3oUuJIXkc.exe | Static PE information: section name: qNR5:WbS |
Source: q3oUuJIXkc.exe | Static PE information: section name: z?fd8ijJ |
Source: q3oUuJIXkc.exe | Static PE information: section name: CV?7x>JO |
Source: q3oUuJIXkc.exe | Static PE information: section name: dT<:EHzj |
Source: q3oUuJIXkc.exe | Static PE information: section name: @]topACL |
Source: gntuud.exe.0.dr | Static PE information: section name: lB@dO\ih |
Source: gntuud.exe.0.dr | Static PE information: section name: Fh?jG[OJ |
Source: gntuud.exe.0.dr | Static PE information: section name: qNR5:WbS |
Source: gntuud.exe.0.dr | Static PE information: section name: z?fd8ijJ |
Source: gntuud.exe.0.dr | Static PE information: section name: CV?7x>JO |
Source: gntuud.exe.0.dr | Static PE information: section name: dT<:EHzj |
Source: gntuud.exe.0.dr | Static PE information: section name: @]topACL |
Source: cred64[1].dll.1.dr | Static PE information: section name: f5g\gWe7 |
Source: cred64[1].dll.1.dr | Static PE information: section name: zDthL)*@ |
Source: cred64[1].dll.1.dr | Static PE information: section name: nb"h!m#Y |
Source: cred64[1].dll.1.dr | Static PE information: section name: $^+<%+dU |
Source: cred64[1].dll.1.dr | Static PE information: section name: Z-),j99t |
Source: cred64[1].dll.1.dr | Static PE information: section name: 8"ikKHD[ |
Source: cred64[1].dll.1.dr | Static PE information: section name: k&l<0?<6 |
Source: cred64[1].dll.1.dr | Static PE information: section name: n[uZh3ex |
Source: cred64[1].dll.1.dr | Static PE information: section name: Uh%r6i!H |
Source: cred64.dll.1.dr | Static PE information: section name: f5g\gWe7 |
Source: cred64.dll.1.dr | Static PE information: section name: zDthL)*@ |
Source: cred64.dll.1.dr | Static PE information: section name: nb"h!m#Y |
Source: cred64.dll.1.dr | Static PE information: section name: $^+<%+dU |
Source: cred64.dll.1.dr | Static PE information: section name: Z-),j99t |
Source: cred64.dll.1.dr | Static PE information: section name: 8"ikKHD[ |
Source: cred64.dll.1.dr | Static PE information: section name: k&l<0?<6 |
Source: cred64.dll.1.dr | Static PE information: section name: n[uZh3ex |
Source: cred64.dll.1.dr | Static PE information: section name: Uh%r6i!H |
Source: q3oUuJIXkc.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process Stats: CPU usage > 98% |
Source: q3oUuJIXkc.exe, 00000000.00000003.307486785.00000000012DC000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameDuetDisp.exe: vs q3oUuJIXkc.exe |
Source: q3oUuJIXkc.exe, 00000000.00000002.324049922.0000000000B85000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameDuetDisp.exe: vs q3oUuJIXkc.exe |
Source: q3oUuJIXkc.exe, 00000000.00000000.297381574.0000000000B85000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameDuetDisp.exe: vs q3oUuJIXkc.exe |
Source: q3oUuJIXkc.exe | Binary or memory string: OriginalFilenameDuetDisp.exe: vs q3oUuJIXkc.exe |
Source: q3oUuJIXkc.exe | Static PE information: invalid certificate |
Source: Joe Sandbox View | Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll 8C46C2AF1CB25BFA8FBBF9D683D72D30DDB2E5D0ECC6BBA997B24714CF2B8C91 |
Source: Joe Sandbox View | Dropped File: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe 682ABD62B6E3C0E8CA57F079CD96F2D3848752EAF7002BDF57BFB512BD242811 |
Source: q3oUuJIXkc.exe | Virustotal: Detection: 15% |
Source: q3oUuJIXkc.exe | ReversingLabs: Detection: 35% |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | File read: C:\Users\user\Desktop\q3oUuJIXkc.exe | Jump to behavior |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: unknown | Process created: C:\Users\user\Desktop\q3oUuJIXkc.exe C:\Users\user\Desktop\q3oUuJIXkc.exe |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F |
Source: C:\Windows\SysWOW64\schtasks.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E |
Source: unknown | Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | File created: C:\Users\user\AppData\Roaming\c33e9ad058e5d3 | Jump to behavior |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | File created: C:\Users\user\AppData\Local\Temp\03bd543fce | Jump to behavior |
Source: classification engine | Classification label: mal100.phis.troj.spyw.evad.winEXE@24/9@0/2 |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | File read: C:\Users\user\Desktop\desktop.ini | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5164:120:WilError_01 |
Source: C:\Windows\SysWOW64\rundll32.exe | Mutant created: \Sessions\1\BaseNamedObjects\118b2709b7d16171ccdcf59ab82ccd18 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1592:120:WilError_01 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Mutant created: \Sessions\1\BaseNamedObjects\c33e9ad058e5d380869687d885c0668c |
Source: q3oUuJIXkc.exe | Static file information: File size 7732440 > 1048576 |
Source: q3oUuJIXkc.exe | Static PE information: Raw size of EVjKc_MI is bigger than: 0x100000 < 0x6f7800 |
Source: q3oUuJIXkc.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: q3oUuJIXkc.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: q3oUuJIXkc.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: q3oUuJIXkc.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: q3oUuJIXkc.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: q3oUuJIXkc.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: q3oUuJIXkc.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: q3oUuJIXkc.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: q3oUuJIXkc.exe, gntuud.exe.0.dr |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 13_3_04F5861C pushad ; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 13_3_04F5460E push eax; ret |
Source: q3oUuJIXkc.exe | Static PE information: section name: lB@dO\ih |
Source: q3oUuJIXkc.exe | Static PE information: section name: Fh?jG[OJ |
Source: q3oUuJIXkc.exe | Static PE information: section name: qNR5:WbS |
Source: q3oUuJIXkc.exe | Static PE information: section name: z?fd8ijJ |
Source: q3oUuJIXkc.exe | Static PE information: section name: CV?7x>JO |
Source: q3oUuJIXkc.exe | Static PE information: section name: EVjKc_MI |
Source: q3oUuJIXkc.exe | Static PE information: section name: dT<:EHzj |
Source: q3oUuJIXkc.exe | Static PE information: section name: @]topACL |
Source: gntuud.exe.0.dr | Static PE information: section name: lB@dO\ih |
Source: gntuud.exe.0.dr | Static PE information: section name: Fh?jG[OJ |
Source: gntuud.exe.0.dr | Static PE information: section name: qNR5:WbS |
Source: gntuud.exe.0.dr | Static PE information: section name: z?fd8ijJ |
Source: gntuud.exe.0.dr | Static PE information: section name: CV?7x>JO |
Source: gntuud.exe.0.dr | Static PE information: section name: EVjKc_MI |
Source: gntuud.exe.0.dr | Static PE information: section name: dT<:EHzj |
Source: gntuud.exe.0.dr | Static PE information: section name: @]topACL |
Source: cred64[1].dll.1.dr | Static PE information: section name: f5g\gWe7 |
Source: cred64[1].dll.1.dr | Static PE information: section name: zDthL)*@ |
Source: cred64[1].dll.1.dr | Static PE information: section name: nb"h!m#Y |
Source: cred64[1].dll.1.dr | Static PE information: section name: $^+<%+dU |
Source: cred64[1].dll.1.dr | Static PE information: section name: Z-),j99t |
Source: cred64[1].dll.1.dr | Static PE information: section name: 8"ikKHD[ |
Source: cred64[1].dll.1.dr | Static PE information: section name: k&l<0?<6 |
Source: cred64[1].dll.1.dr | Static PE information: section name: n[uZh3ex |
Source: cred64[1].dll.1.dr | Static PE information: section name: Uh%r6i!H |
Source: cred64.dll.1.dr | Static PE information: section name: f5g\gWe7 |
Source: cred64.dll.1.dr | Static PE information: section name: zDthL)*@ |
Source: cred64.dll.1.dr | Static PE information: section name: nb"h!m#Y |
Source: cred64.dll.1.dr | Static PE information: section name: $^+<%+dU |
Source: cred64.dll.1.dr | Static PE information: section name: Z-),j99t |
Source: cred64.dll.1.dr | Static PE information: section name: 8"ikKHD[ |
Source: cred64.dll.1.dr | Static PE information: section name: k&l<0?<6 |
Source: cred64.dll.1.dr | Static PE information: section name: n[uZh3ex |
Source: cred64.dll.1.dr | Static PE information: section name: Uh%r6i!H |
Source: initial sample | Static PE information: section where entry point is pointing to: EVjKc_MI |
Source: Yara match | File source: 00000001.00000003.350752206.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: gntuud.exe PID: 5280, type: MEMORYSTR |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | File created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | File created: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Memory written: PID: 1780 base: 1150005 value: E9 FB 99 C1 76 |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Memory written: PID: 1780 base: 77D69A00 value: E9 0A 66 3E 89 |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Memory written: PID: 1780 base: 1170007 value: E9 7B 4C C3 76 |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Memory written: PID: 1780 base: 77DA4C80 value: E9 8E B3 3C 89 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 5280 base: CB0005 value: E9 FB 99 0B 77 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 5280 base: 77D69A00 value: E9 0A 66 F4 88 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 5280 base: CC0007 value: E9 7B 4C 0E 77 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 5280 base: 77DA4C80 value: E9 8E B3 F1 88 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 2468 base: 1230005 value: E9 FB 99 B3 76 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 2468 base: 77D69A00 value: E9 0A 66 4C 89 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 2468 base: 1240007 value: E9 7B 4C B6 76 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Memory written: PID: 2468 base: 77DA4C80 value: E9 8E B3 49 89 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 9A0005 value: E9 FB 99 3C 77 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 77D69A00 value: E9 0A 66 C3 88 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 9B0007 value: E9 7B 4C 3F 77 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 77DA4C80 value: E9 8E B3 C0 88 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 9C0005 value: E9 FB BF 37 77 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 77D3C000 value: E9 0A 40 C8 88 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 9E0008 value: E9 AB E0 39 77 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 77D7E0B0 value: E9 60 1F C6 88 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: D00005 value: E9 CB 5A 8D 76 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 775D5AD0 value: E9 3A A5 72 89 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: D10005 value: E9 5B B0 8E 76 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 775FB060 value: E9 AA 4F 71 89 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: D20005 value: E9 DB F8 E0 73 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 74B2F8E0 value: E9 2A 07 1F 8C |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 4EB0005 value: E9 FB 42 CA 6F |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 74B54300 value: E9 0A BD 35 90 |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 77D3C000 value: 8B FF 55 8B EC |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 775D5AD0 value: 8B FF 55 8B EC |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 775FB060 value: 8B FF 55 8B EC |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 74B2F8E0 value: 8B FF 55 8B EC |
Source: C:\Windows\SysWOW64\rundll32.exe | Memory written: PID: 4828 base: 74B54300 value: 8B FF 55 8B EC |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N" |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Special instruction interceptor: First address: 00000000006B25FE instructions rdtsc caused by: RDTSC with Trap Flag (TF) |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Special instruction interceptor: First address: 00000000018C25FE instructions rdtsc caused by: RDTSC with Trap Flag (TF) |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | RDTSC instruction interceptor: First address: 00000000006B25FE second address: 00000000006D33CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007F02DCAB0BC1h 0x00000008 call 00007F02DCA4F441h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007F02DCC022DAh 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | RDTSC instruction interceptor: First address: 00000000018C25FE second address: 00000000018E33CF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 call 00007F02DCDA5551h 0x00000008 call 00007F02DCD43DD1h 0x0000000d mov dword ptr [esp+04h], 7A546ADEh 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 call 00007F02DCEF6C6Ah 0x0000001e push edx 0x0000001f push eax 0x00000020 cmovnl eax, ebp 0x00000023 push ebp 0x00000024 rdtsc |
Source: C:\Windows\SysWOW64\rundll32.exe | RDTSC instruction interceptor: First address: 0000000004CED526 second address: 0000000004CED559 instructions: 0x00000000 rdtsc 0x00000002 movsx dx, bh 0x00000006 dec cl 0x00000008 or edx, ecx 0x0000000a bts edx, ecx 0x0000000d xchg dh, dh 0x0000000f not cl 0x00000011 cbw 0x00000013 neg cl 0x00000015 bsf eax, eax 0x00000018 mov eax, 78B605B0h 0x0000001d or ah, FFFFFF9Eh 0x00000020 add cl, FFFFFF94h 0x00000023 xor bl, cl 0x00000025 or dh, dl 0x00000027 push ebp 0x00000028 inc ebp 0x00000029 cdq 0x0000002a cwd 0x0000002c push esi 0x0000002d push ebx 0x0000002e xor bp, di 0x00000031 cwd 0x00000033 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5372 | Thread sleep time: -870000s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 3176 | Thread sleep time: -50000s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 3312 | Thread sleep time: -180000s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 4992 | Thread sleep time: -1440000s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 3312 | Thread sleep time: -180000s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe TID: 5372 | Thread sleep time: -30000s >= -30000s |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll | Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread delayed: delay time: 180000 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread delayed: delay time: 360000 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread delayed: delay time: 180000 |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Process information queried: ProcessInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread delayed: delay time: 30000 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread delayed: delay time: 50000 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread delayed: delay time: 180000 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread delayed: delay time: 360000 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread delayed: delay time: 180000 |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread delayed: delay time: 30000 |
Source: C:\Windows\SysWOW64\rundll32.exe | System information queried: ModuleInformation |
Source: gntuud.exe, 00000001.00000003.350805710.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Thread information set: HideFromDebugger |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Thread information set: HideFromDebugger |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread information set: HideFromDebugger |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread information set: HideFromDebugger |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread information set: HideFromDebugger |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Thread information set: HideFromDebugger |
Source: C:\Windows\SysWOW64\rundll32.exe | Thread information set: HideFromDebugger |
Source: C:\Windows\SysWOW64\rundll32.exe | Thread information set: HideFromDebugger |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Process queried: DebugPort |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Process queried: DebugPort |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugPort |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugPort |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugPort |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugObjectHandle |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process queried: DebugPort |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugPort |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugObjectHandle |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugObjectHandle |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugObjectHandle |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugPort |
Source: C:\Windows\SysWOW64\rundll32.exe | Network Connect: 192.168.2.4 80 |
Source: C:\Windows\SysWOW64\rundll32.exe | Network Connect: 85.209.135.109 80 |
Source: C:\Users\user\Desktop\q3oUuJIXkc.exe | Process created: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe" /F |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\03bd543fce" /P "user:N"&&CACLS "..\03bd543fce" /P "user:R" /E&&Exit |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:N" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\03bd543fce" /P "user:R" /E |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe | Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation |
Source: Yara match | File source: 12.2.gntuud.exe.1280000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.q3oUuJIXkc.exe.70000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.315315946.0000000000071000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.379083563.0000000001281000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000003.350752206.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: gntuud.exe PID: 5280, type: MEMORYSTR |
Source: C:\Windows\SysWOW64\rundll32.exe | Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook |
Source: C:\Windows\SysWOW64\rundll32.exe | Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions |
Source: C:\Windows\SysWOW64\rundll32.exe | File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml |
Source: C:\Windows\SysWOW64\rundll32.exe | File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml |