{"Payload URL": "https://drive.google.com/uc?export=download&id=1OPtVT-x7\"[OfT"}
Source: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1OPtVT-x7\"[OfT"} |
Source: nZdwtTEYoW.exe | Virustotal: Detection: 25% | Perma Link |
Source: nZdwtTEYoW.exe | ReversingLabs: Detection: 13% |
Source: nZdwtTEYoW.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: https://drive.google.com/uc?export=download&id=1OPtVT-x7"[OfT |
Source: nZdwtTEYoW.exe, 00000000.00000002.761919156.000000000064A000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022155D9 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022157A7 NtAllocateVirtualMemory, |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_00401128 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022155D9 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02214233 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02211262 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022122A3 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022182CB |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221330A |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02213063 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022120EB |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02217923 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212114 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02213917 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218167 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02210974 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022109EF |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022126CF |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216F7F |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221379D |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02210F9F |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02210FFE |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022137D8 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02210CA7 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022154BA |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02211CBD |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022134EA |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212531 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218501 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221854C |
Source: nZdwtTEYoW.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: nZdwtTEYoW.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: nZdwtTEYoW.exe, 00000000.00000000.234126028.0000000000417000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameCALICOES.exe vs nZdwtTEYoW.exe |
Source: nZdwtTEYoW.exe, 00000000.00000002.762332668.00000000021E0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameuser32j% vs nZdwtTEYoW.exe |
Source: nZdwtTEYoW.exe | Binary or memory string: OriginalFilenameCALICOES.exe vs nZdwtTEYoW.exe |
Source: nZdwtTEYoW.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine | Classification label: mal88.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | File created: C:\Users\user\AppData\Local\Temp\~DFCCD223C299E0DF5D.TMP | Jump to behavior |
Source: nZdwtTEYoW.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: nZdwtTEYoW.exe | Virustotal: Detection: 25% |
Source: nZdwtTEYoW.exe | ReversingLabs: Detection: 13% |
Source: Yara match | File source: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_00401128 push esi; retn 4D4Dh |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_00404916 push 00000014h; ret |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216A23 push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218223 push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02214227 push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221222B push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216A2F push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221822F push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212237 push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216A3B push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221823B push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02214203 push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212207 push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216A0B push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221820B push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221420F push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212213 push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216A17 push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218217 push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221421B push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221221F push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212267 push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218A67 push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216A6B push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221826B push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212A6F push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212273 push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218A73 push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216A77 push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218277 push ebx; iretd |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212A7B push ebx; iretd |
Source: initial sample | Static PE information: section name: .text entropy: 6.90665747983 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02213917 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218167 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02216F7F |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221379D |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_022137D8 |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | RDTSC instruction interceptor: First address: 000000000221928F second address: 000000000221928F instructions: |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | RDTSC instruction interceptor: First address: 0000000002219277 second address: 000000000221928F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor ecx, AF55D2FDh 0x00000009 mov dword ptr [edi+ecx], eax 0x0000000c mov ecx, C83BC8F2h 0x00000011 xor ecx, 51282A31h 0x00000017 pushad 0x00000018 rdtsc |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | RDTSC instruction interceptor: First address: 000000000221928F second address: 000000000221928F instructions: |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02215223 rdtsc |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02215223 rdtsc |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_0221732C mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02213063 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02218167 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02214E17 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02217730 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\nZdwtTEYoW.exe | Code function: 0_2_02212531 mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmp | Binary or memory string: SProgram Managerl |
Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd, |
Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.