{"Payload URL": "https://drive.google.com/uc?export=download&id=1OPtVT-x7\"[OfT"}
Source: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1OPtVT-x7\"[OfT"} |
Source: nZdwtTEYoW.exe | Virustotal: Detection: 25% | Perma Link |
Source: nZdwtTEYoW.exe | ReversingLabs: Detection: 13% |
Source: nZdwtTEYoW.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: https://drive.google.com/uc?export=download&id=1OPtVT-x7"[OfT |
Source: nZdwtTEYoW.exe, 00000000.00000002.761919156.000000000064A000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> | |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022155D9 NtAllocateVirtualMemory, | 0_2_022155D9 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022157A7 NtAllocateVirtualMemory, | 0_2_022157A7 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_00401128 | 0_2_00401128 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022155D9 | 0_2_022155D9 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02214233 | 0_2_02214233 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02211262 | 0_2_02211262 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022122A3 | 0_2_022122A3 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022182CB | 0_2_022182CB |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221330A | 0_2_0221330A |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02213063 | 0_2_02213063 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022120EB | 0_2_022120EB |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02217923 | 0_2_02217923 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212114 | 0_2_02212114 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02213917 | 0_2_02213917 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218167 | 0_2_02218167 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02210974 | 0_2_02210974 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022109EF | 0_2_022109EF |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022126CF | 0_2_022126CF |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216F7F | 0_2_02216F7F |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221379D | 0_2_0221379D |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02210F9F | 0_2_02210F9F |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02210FFE | 0_2_02210FFE |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022137D8 | 0_2_022137D8 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02210CA7 | 0_2_02210CA7 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022154BA | 0_2_022154BA |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02211CBD | 0_2_02211CBD |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022134EA | 0_2_022134EA |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212531 | 0_2_02212531 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218501 | 0_2_02218501 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221854C | 0_2_0221854C |
Source: nZdwtTEYoW.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: nZdwtTEYoW.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: nZdwtTEYoW.exe, 00000000.00000000.234126028.0000000000417000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameCALICOES.exe vs nZdwtTEYoW.exe |
Source: nZdwtTEYoW.exe, 00000000.00000002.762332668.00000000021E0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameuser32j% vs nZdwtTEYoW.exe |
Source: nZdwtTEYoW.exe | Binary or memory string: OriginalFilenameCALICOES.exe vs nZdwtTEYoW.exe |
Source: nZdwtTEYoW.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine | Classification label: mal88.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | File created: C:\Users\user\AppData\Local\Temp\~DFCCD223C299E0DF5D.TMP | Jump to behavior |
Source: nZdwtTEYoW.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll | Jump to behavior |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: nZdwtTEYoW.exe | Virustotal: Detection: 25% |
Source: nZdwtTEYoW.exe | ReversingLabs: Detection: 13% |
Source: Yara match | File source: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_00401128 push esi; retn 4D4Dh | 0_2_0040263F |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_00404916 push 00000014h; ret | 0_2_00404938 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216A23 push ebx; iretd | 0_2_02216A2E |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218223 push ebx; iretd | 0_2_0221822E |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02214227 push ebx; iretd | 0_2_02214232 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221222B push ebx; iretd | 0_2_02212236 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216A2F push ebx; iretd | 0_2_02216A3A |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221822F push ebx; iretd | 0_2_0221823A |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212237 push ebx; iretd | 0_2_02212242 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216A3B push ebx; iretd | 0_2_02216A46 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221823B push ebx; iretd | 0_2_02218246 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02214203 push ebx; iretd | 0_2_0221420E |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212207 push ebx; iretd | 0_2_02212212 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216A0B push ebx; iretd | 0_2_02216A16 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221820B push ebx; iretd | 0_2_02218216 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221420F push ebx; iretd | 0_2_0221421A |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212213 push ebx; iretd | 0_2_0221221E |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216A17 push ebx; iretd | 0_2_02216A22 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218217 push ebx; iretd | 0_2_02218222 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221421B push ebx; iretd | 0_2_02214226 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221221F push ebx; iretd | 0_2_0221222A |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212267 push ebx; iretd | 0_2_02212272 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218A67 push ebx; iretd | 0_2_02218A72 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216A6B push ebx; iretd | 0_2_02216A76 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221826B push ebx; iretd | 0_2_02218276 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212A6F push ebx; iretd | 0_2_02212A7A |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212273 push ebx; iretd | 0_2_0221227E |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218A73 push ebx; iretd | 0_2_02218A7E |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216A77 push ebx; iretd | 0_2_02216A82 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218277 push ebx; iretd | 0_2_02218282 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212A7B push ebx; iretd | 0_2_02212A86 |
Source: initial sample | Static PE information: section name: .text entropy: 6.90665747983 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02213917 | 0_2_02213917 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218167 | 0_2_02218167 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216F7F | 0_2_02216F7F |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221379D | 0_2_0221379D |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022137D8 | 0_2_022137D8 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | RDTSC instruction interceptor: First address: 000000000221928F second address: 000000000221928F instructions: |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | RDTSC instruction interceptor: First address: 0000000002219277 second address: 000000000221928F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor ecx, AF55D2FDh 0x00000009 mov dword ptr [edi+ecx], eax 0x0000000c mov ecx, C83BC8F2h 0x00000011 xor ecx, 51282A31h 0x00000017 pushad 0x00000018 rdtsc |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | RDTSC instruction interceptor: First address: 000000000221928F second address: 000000000221928F instructions: |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02215223 rdtsc | 0_2_02215223 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02215223 rdtsc | 0_2_02215223 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221732C mov eax, dword ptr fs:[00000030h] | 0_2_0221732C |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02213063 mov eax, dword ptr fs:[00000030h] | 0_2_02213063 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218167 mov eax, dword ptr fs:[00000030h] | 0_2_02218167 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02214E17 mov eax, dword ptr fs:[00000030h] | 0_2_02214E17 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02217730 mov eax, dword ptr fs:[00000030h] | 0_2_02217730 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212531 mov eax, dword ptr fs:[00000030h] | 0_2_02212531 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmp | Binary or memory string: SProgram Managerl |
Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd, |
Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.