Windows Analysis Report F63V4i8eZU

Overview

General Information

Sample Name: F63V4i8eZU (renamed file extension from none to exe)
Analysis ID: 450884
MD5: 08730cdd286a4c9d46b38bb6545ac311
SHA1: 001bb7b5b8d63e505661d7e4a178d08abe6bbad7
SHA256: cb2a2537987e45c8461d40a0ec6c24215920519257134db91dd1369ff5abf342
Tags: 32exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Potentially malicious time measurement code found
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Detected potential crypto function
PE / OLE file has an invalid certificate
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: F63V4i8eZU.exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_QVwo"}
Multi AV Scanner detection for submitted file
Source: F63V4i8eZU.exe Virustotal: Detection: 10% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: F63V4i8eZU.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: F63V4i8eZU.exe

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://kinmirai.org/wp-content/bin_QVwo
Source: F63V4i8eZU.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: F63V4i8eZU.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: F63V4i8eZU.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: F63V4i8eZU.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: F63V4i8eZU.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: F63V4i8eZU.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: F63V4i8eZU.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: F63V4i8eZU.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: F63V4i8eZU.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: F63V4i8eZU.exe String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D55BB NtAllocateVirtualMemory, 0_2_021D55BB
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D5724 NtAllocateVirtualMemory, 0_2_021D5724
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D55F6 NtAllocateVirtualMemory, 0_2_021D55F6
Detected potential crypto function
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D55BB 0_2_021D55BB
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D423F 0_2_021D423F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D8254 0_2_021D8254
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D5A46 0_2_021D5A46
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D4277 0_2_021D4277
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D4263 0_2_021D4263
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D5A84 0_2_021D5A84
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D22D5 0_2_021D22D5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D2AD6 0_2_021D2AD6
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D2AFD 0_2_021D2AFD
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D5359 0_2_021D5359
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D33A7 0_2_021D33A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D33EC 0_2_021D33EC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D1057 0_2_021D1057
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D5852 0_2_021D5852
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D78B2 0_2_021D78B2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D48E8 0_2_021D48E8
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D28E2 0_2_021D28E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D513E 0_2_021D513E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D8138 0_2_021D8138
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D4128 0_2_021D4128
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D3920 0_2_021D3920
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D19CC 0_2_021D19CC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D0618 0_2_021D0618
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D2E2F 0_2_021D2E2F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D9626 0_2_021D9626
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D8E7C 0_2_021D8E7C
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D968F 0_2_021D968F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D8ED8 0_2_021D8ED8
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D7EFC 0_2_021D7EFC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D46E4 0_2_021D46E4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D8F40 0_2_021D8F40
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D1FD9 0_2_021D1FD9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D7FF5 0_2_021D7FF5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D2C5C 0_2_021D2C5C
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D045E 0_2_021D045E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D3C4D 0_2_021D3C4D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D2470 0_2_021D2470
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D7488 0_2_021D7488
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D348A 0_2_021D348A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D7CA5 0_2_021D7CA5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D84A6 0_2_021D84A6
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D84E9 0_2_021D84E9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D34EA 0_2_021D34EA
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D3568 0_2_021D3568
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D0584 0_2_021D0584
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D8DB4 0_2_021D8DB4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D35B0 0_2_021D35B0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D2DA0 0_2_021D2DA0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D25D4 0_2_021D25D4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D55F6 0_2_021D55F6
PE / OLE file has an invalid certificate
Source: F63V4i8eZU.exe Static PE information: invalid certificate
PE file contains strange resources
Source: F63V4i8eZU.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: F63V4i8eZU.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: F63V4i8eZU.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: F63V4i8eZU.exe, 00000000.00000002.735395303.0000000000438000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameISOL.exe vs F63V4i8eZU.exe
Source: F63V4i8eZU.exe Binary or memory string: OriginalFilenameISOL.exe vs F63V4i8eZU.exe
Uses 32bit PE files
Source: F63V4i8eZU.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal88.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\F63V4i8eZU.exe File created: C:\Users\user\AppData\Local\Temp\~DF8AE4137E60421BDA.TMP Jump to behavior
Source: F63V4i8eZU.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: F63V4i8eZU.exe Virustotal: Detection: 10%
Source: F63V4i8eZU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: F63V4i8eZU.exe

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_00406408 push es; ret 0_2_0040640F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_00405D8C push es; ret 0_2_00405D8B
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02071833 push edx; ret 0_2_02071861
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02074205 push edx; ret 0_2_02074231
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02072A05 push edx; ret 0_2_02072A31
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02071205 push edx; ret 0_2_02071231
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02075A03 push edx; ret 0_2_02075A31
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02076214 push edx; ret 0_2_02076241
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02074A13 push edx; ret 0_2_02074A41
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02073213 push edx; ret 0_2_02073241
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02071A13 push edx; ret 0_2_02071A41
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02070218 push edx; ret 0_2_02070241
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02075225 push edx; ret 0_2_02075251
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02073A24 push edx; ret 0_2_02073A51
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02072224 push edx; ret 0_2_02072251
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02070A24 push edx; ret 0_2_02070A51
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02076A24 push edx; ret 0_2_02076A51
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02074233 push edx; ret 0_2_02074261
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02072A33 push edx; ret 0_2_02072A61
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02071233 push edx; ret 0_2_02071261
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02075A33 push edx; ret 0_2_02075A61
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02074A44 push edx; ret 0_2_02074A71
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02073244 push edx; ret 0_2_02073271
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02071A44 push edx; ret 0_2_02071A71
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02076244 push edx; ret 0_2_02076271
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02070248 push edx; ret 0_2_02070271
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02073A54 push edx; ret 0_2_02073A81
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02072254 push edx; ret 0_2_02072281
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02076A54 push edx; ret 0_2_02076A81
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02075253 push edx; ret 0_2_02075281
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_02070A58 push edx; ret 0_2_02070A81
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D423F 0_2_021D423F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D5A46 0_2_021D5A46
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D4277 0_2_021D4277
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D4263 0_2_021D4263
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D5A84 0_2_021D5A84
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D2AD6 0_2_021D2AD6
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D2AFD 0_2_021D2AFD
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D33A7 0_2_021D33A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D5852 0_2_021D5852
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D78B2 0_2_021D78B2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D28E2 0_2_021D28E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D513E 0_2_021D513E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D4128 0_2_021D4128
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D3920 0_2_021D3920
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D7EFC 0_2_021D7EFC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D46E4 0_2_021D46E4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D1FD9 0_2_021D1FD9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D045E 0_2_021D045E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D3C4D 0_2_021D3C4D
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D2470 0_2_021D2470
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D7488 0_2_021D7488
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D7CA5 0_2_021D7CA5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D8DB4 0_2_021D8DB4
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000021D0182 second address: 00000000021D0182 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000021D6E61 second address: 00000000021D6E61 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000021D01B2 second address: 00000000021D01B2 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000021D78FC second address: 00000000021D790A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000021D0182 second address: 00000000021D0182 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000021D6E61 second address: 00000000021D6E61 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000021D01B2 second address: 00000000021D01B2 instructions:
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000021D78FC second address: 00000000021D790A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
Source: C:\Users\user\Desktop\F63V4i8eZU.exe RDTSC instruction interceptor: First address: 00000000021D790A second address: 00000000021D79F6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, DCAAA67Fh 0x00000010 test dl, dl 0x00000012 xor esi, F2CCAB26h 0x00000018 test edx, edx 0x0000001a sub esi, 536EBD65h 0x00000020 test bh, ch 0x00000022 xor esi, DAF7BFF4h 0x00000028 test ecx, ecx 0x0000002a test bx, cx 0x0000002d add esi, 00001000h 0x00000033 test bx, ax 0x00000036 cmp cl, dl 0x00000038 cmp bx, dx 0x0000003b mov dword ptr [ebp+000001F8h], FC14852Ch 0x00000045 test ebx, ecx 0x00000047 xor dword ptr [ebp+000001F8h], 83A94D75h 0x00000051 xor dword ptr [ebp+000001F8h], AA3F6E81h 0x0000005b cmp ah, 00000015h 0x0000005e sub dword ptr [ebp+000001F8h], D581B6D8h 0x00000068 cmp esi, dword ptr [ebp+000001F8h] 0x0000006e je 00007F8568CA0D1Ah 0x00000074 mov dword ptr [ebp+00000204h], 67BCF0E4h 0x0000007e xor dword ptr [ebp+00000204h], E457B680h 0x00000088 xor dword ptr [ebp+00000204h], E04C2F31h 0x00000092 xor dword ptr [ebp+00000204h], 1C589955h 0x0000009c cmp ch, dh 0x0000009e cmp esi, dword ptr [ebp+00000204h] 0x000000a4 je 00007F8568CA0CE4h 0x000000aa test cl, dl 0x000000ac mov dword ptr [ebp+00000246h], eax 0x000000b2 mov eax, 03147A97h 0x000000b7 cmp ecx, ecx 0x000000b9 xor eax, 4F08C75Bh 0x000000be cmp cl, al 0x000000c0 sub eax, 1A91E3C1h 0x000000c5 sub eax, 318ADA0Bh 0x000000ca push eax 0x000000cb mov eax, dword ptr [ebp+00000246h] 0x000000d1 cmp bh, ah 0x000000d3 push 25819736h 0x000000d8 sub dword ptr [esp], 3CB652F7h 0x000000df xor dword ptr [esp], 3AF83707h 0x000000e6 pushad 0x000000e7 mov ebx, 000000DBh 0x000000ec rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D423F rdtsc 0_2_021D423F
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Process Stats: CPU usage > 90% for more than 60s
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D423F Start: 021D4BE7 End: 021D480D 0_2_021D423F
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D5A46 Start: 021D5BED End: 021D480D 0_2_021D5A46
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D4277 Start: 021D4BE7 End: 021D480D 0_2_021D4277
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D4263 Start: 021D4BE7 End: 021D480D 0_2_021D4263
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D33A7 Start: 021D4BE7 End: 021D480D 0_2_021D33A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D5852 Start: 021D4BE7 End: 021D480D 0_2_021D5852
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D513E Start: 021D4BE7 End: 021D480D 0_2_021D513E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D4128 Start: 021D4BE7 End: 021D480D 0_2_021D4128
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D46E4 Start: 021D4BE7 End: 021D480D 0_2_021D46E4
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D1FD9 Start: 021D4BE7 End: 021D480D 0_2_021D1FD9
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D045E Start: 021D4BE7 End: 021D480D 0_2_021D045E
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D7488 Start: 021D4BE7 End: 021D480D 0_2_021D7488
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D7CA5 Start: 021D4BE7 End: 021D480D 0_2_021D7CA5
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D8DB4 Start: 021D4BE7 End: 021D480D 0_2_021D8DB4
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D423F rdtsc 0_2_021D423F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D5201 mov eax, dword ptr fs:[00000030h] 0_2_021D5201
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D7365 mov eax, dword ptr fs:[00000030h] 0_2_021D7365
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D33A7 mov eax, dword ptr fs:[00000030h] 0_2_021D33A7
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D33EC mov eax, dword ptr fs:[00000030h] 0_2_021D33EC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D28E2 mov eax, dword ptr fs:[00000030h] 0_2_021D28E2
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D7EFC mov eax, dword ptr fs:[00000030h] 0_2_021D7EFC
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D348A mov eax, dword ptr fs:[00000030h] 0_2_021D348A
Source: C:\Users\user\Desktop\F63V4i8eZU.exe Code function: 0_2_021D6D92 mov eax, dword ptr fs:[00000030h] 0_2_021D6D92
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: F63V4i8eZU.exe, 00000000.00000002.736824672.0000000000C50000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: F63V4i8eZU.exe, 00000000.00000002.736824672.0000000000C50000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: F63V4i8eZU.exe, 00000000.00000002.736824672.0000000000C50000.00000002.00000001.sdmp Binary or memory string: Progman
Source: F63V4i8eZU.exe, 00000000.00000002.736824672.0000000000C50000.00000002.00000001.sdmp Binary or memory string: Progmanlock