Windows Analysis Report CI and PL of CMZBD-210090.exe

Overview

General Information

Sample Name: CI and PL of CMZBD-210090.exe
Analysis ID: 483265
MD5: 1f9b03378d7dc859a1c6e13a5832582e
SHA1: 670bf2c5dbc7f6f8d9d1ec4b8d6c527a5eefdb8b
SHA256: ce8385347104cf190b23811bb67ba8edac9186073d6953ca23720f1e92af7eb3
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.753956643.00000000022C0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlo"}
Multi AV Scanner detection for submitted file
Source: CI and PL of CMZBD-210090.exe ReversingLabs: Detection: 17%
Machine Learning detection for sample
Source: CI and PL of CMZBD-210090.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.CI and PL of CMZBD-210090.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 0.2.CI and PL of CMZBD-210090.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen

Compliance:

barindex
Uses 32bit PE files
Source: CI and PL of CMZBD-210090.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=downlo

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: CI and PL of CMZBD-210090.exe, 00000000.00000002.752800438.000000000071A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: CI and PL of CMZBD-210090.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: CI and PL of CMZBD-210090.exe, 00000000.00000002.752500210.000000000041B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamemeta.exe vs CI and PL of CMZBD-210090.exe
Source: CI and PL of CMZBD-210090.exe Binary or memory string: OriginalFilenamemeta.exe vs CI and PL of CMZBD-210090.exe
PE file contains strange resources
Source: CI and PL of CMZBD-210090.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CI and PL of CMZBD-210090.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CI and PL of CMZBD-210090.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_00401114 0_2_00401114
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7AB8 0_2_022C7AB8
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C6221 0_2_022C6221
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C3E3C 0_2_022C3E3C
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C863A 0_2_022C863A
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C3634 0_2_022C3634
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CD234 0_2_022CD234
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CC631 0_2_022CC631
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CD208 0_2_022CD208
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C5E04 0_2_022C5E04
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C6604 0_2_022C6604
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C5A06 0_2_022C5A06
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C1615 0_2_022C1615
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C566C 0_2_022C566C
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C1E6D 0_2_022C1E6D
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C5A6B 0_2_022C5A6B
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7A66 0_2_022C7A66
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C4A60 0_2_022C4A60
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7A60 0_2_022C7A60
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CB261 0_2_022CB261
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CD263 0_2_022CD263
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C3644 0_2_022C3644
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CC25E 0_2_022CC25E
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C625A 0_2_022C625A
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C5AAD 0_2_022C5AAD
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CC2A9 0_2_022CC2A9
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CC6A9 0_2_022CC6A9
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C5EA2 0_2_022C5EA2
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7EB8 0_2_022C7EB8
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CD2B6 0_2_022CD2B6
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7E8C 0_2_022C7E8C
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CD28D 0_2_022CD28D
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CBE88 0_2_022CBE88
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C0A99 0_2_022C0A99
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C1A94 0_2_022C1A94
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C36EC 0_2_022C36EC
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C26EF 0_2_022C26EF
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CD2E8 0_2_022CD2E8
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C76EA 0_2_022C76EA
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C66E6 0_2_022C66E6
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C5EE2 0_2_022C5EE2
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C5EF5 0_2_022C5EF5
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7AF2 0_2_022C7AF2
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C4ACD 0_2_022C4ACD
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C86C8 0_2_022C86C8
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C62C9 0_2_022C62C9
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C16C6 0_2_022C16C6
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C3EDC 0_2_022C3EDC
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CC2DE 0_2_022CC2DE
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C26DA 0_2_022C26DA
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C4ED5 0_2_022C4ED5
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C4AD6 0_2_022C4AD6
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7F28 0_2_022C7F28
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CB325 0_2_022CB325
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C0B27 0_2_022C0B27
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C5B23 0_2_022C5B23
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C273E 0_2_022C273E
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CBF37 0_2_022CBF37
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C1B0C 0_2_022C1B0C
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C270D 0_2_022C270D
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CD31C 0_2_022CD31C
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C571D 0_2_022C571D
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C2719 0_2_022C2719
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CC368 0_2_022CC368
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C4B61 0_2_022C4B61
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C3F62 0_2_022C3F62
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C3B63 0_2_022C3B63
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C177C 0_2_022C177C
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CD374 0_2_022CD374
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C334E 0_2_022C334E
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C1B40 0_2_022C1B40
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C2B43 0_2_022C2B43
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C5F50 0_2_022C5F50
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C2753 0_2_022C2753
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CBBAC 0_2_022CBBAC
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C2BA0 0_2_022C2BA0
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C67BA 0_2_022C67BA
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C57B2 0_2_022C57B2
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C638A 0_2_022C638A
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C5B84 0_2_022C5B84
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C3B87 0_2_022C3B87
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CBF87 0_2_022CBF87
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C8782 0_2_022C8782
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C3799 0_2_022C3799
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C4BED 0_2_022C4BED
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C17FB 0_2_022C17FB
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C63F4 0_2_022C63F4
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C1BF3 0_2_022C1BF3
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CBFCF 0_2_022CBFCF
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C2FC7 0_2_022C2FC7
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CB3DD 0_2_022CB3DD
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C3C20 0_2_022C3C20
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C4038 0_2_022C4038
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7C37 0_2_022C7C37
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C140C 0_2_022C140C
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CB00E 0_2_022CB00E
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C4004 0_2_022C4004
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C6005 0_2_022C6005
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CD406 0_2_022CD406
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C5C1C 0_2_022C5C1C
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C141A 0_2_022C141A
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CB016 0_2_022CB016
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C8810 0_2_022C8810
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C106E 0_2_022C106E
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C744C 0_2_022C744C
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7C48 0_2_022C7C48
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C5849 0_2_022C5849
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CC047 0_2_022CC047
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7C42 0_2_022C7C42
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C6452 0_2_022C6452
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C5CAC 0_2_022C5CAC
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C18AE 0_2_022C18AE
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C88AF 0_2_022C88AF
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C1CA4 0_2_022C1CA4
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C50A7 0_2_022C50A7
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C3CBE 0_2_022C3CBE
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C60BA 0_2_022C60BA
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CB08B 0_2_022CB08B
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C589C 0_2_022C589C
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CB498 0_2_022CB498
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C4C94 0_2_022C4C94
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C5C97 0_2_022C5C97
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CA0ED 0_2_022CA0ED
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C50EF 0_2_022C50EF
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7CE0 0_2_022C7CE0
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C5CE2 0_2_022C5CE2
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C58F3 0_2_022C58F3
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C64C9 0_2_022C64C9
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C14CA 0_2_022C14CA
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C40D5 0_2_022C40D5
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CC0D5 0_2_022CC0D5
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7134 0_2_022C7134
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C8933 0_2_022C8933
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CB109 0_2_022CB109
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C0D01 0_2_022C0D01
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C6110 0_2_022C6110
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C616D 0_2_022C616D
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C356E 0_2_022C356E
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C156E 0_2_022C156E
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C1D6E 0_2_022C1D6E
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C3D6A 0_2_022C3D6A
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C5D6B 0_2_022C5D6B
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C8964 0_2_022C8964
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CC17E 0_2_022CC17E
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C657A 0_2_022C657A
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CD17A 0_2_022CD17A
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CBD70 0_2_022CBD70
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CD14E 0_2_022CD14E
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C5548 0_2_022C5548
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C195F 0_2_022C195F
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C0D51 0_2_022C0D51
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C59A1 0_2_022C59A1
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CD1A2 0_2_022CD1A2
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CBD8E 0_2_022CBD8E
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C3589 0_2_022C3589
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CB191 0_2_022CB191
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C3DEC 0_2_022C3DEC
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CC1E9 0_2_022CC1E9
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C85E0 0_2_022C85E0
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C19F9 0_2_022C19F9
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CBDC9 0_2_022CBDC9
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C55DA 0_2_022C55DA
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C1DD3 0_2_022C1DD3
Contains functionality to call native functions
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7AB8 NtAllocateVirtualMemory, 0_2_022C7AB8
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7A66 NtAllocateVirtualMemory, 0_2_022C7A66
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7A60 NtAllocateVirtualMemory, 0_2_022C7A60
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7EB8 NtAllocateVirtualMemory, 0_2_022C7EB8
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7E8C NtAllocateVirtualMemory, 0_2_022C7E8C
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7AF2 NtAllocateVirtualMemory, 0_2_022C7AF2
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7F28 NtAllocateVirtualMemory, 0_2_022C7F28
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7FB0 NtAllocateVirtualMemory, 0_2_022C7FB0
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C8058 NtAllocateVirtualMemory, 0_2_022C8058
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C80FB NtAllocateVirtualMemory, 0_2_022C80FB
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Process Stats: CPU usage > 98%
Source: CI and PL of CMZBD-210090.exe ReversingLabs: Detection: 17%
Source: CI and PL of CMZBD-210090.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.753956643.00000000022C0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_00404440 push 00401106h; ret 0_2_00404453
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_00404454 push 00401106h; ret 0_2_00404467
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_00404429 push 00401106h; ret 0_2_0040443F
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_0040819A push 0000002Bh; ret 0_2_004081A1
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_0040A28B push cs; ret 0_2_0040A29F
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CDB64 push cs; iretd 0_2_022CDB65
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C9379 push edx; ret 0_2_022C938F
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7613 rdtsc 0_2_022C7613

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CAE6C mov eax, dword ptr fs:[00000030h] 0_2_022CAE6C
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C4A60 mov eax, dword ptr fs:[00000030h] 0_2_022C4A60
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C46EA mov eax, dword ptr fs:[00000030h] 0_2_022C46EA
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C4ACD mov eax, dword ptr fs:[00000030h] 0_2_022C4ACD
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C4AD6 mov eax, dword ptr fs:[00000030h] 0_2_022C4AD6
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CA766 mov eax, dword ptr fs:[00000030h] 0_2_022CA766
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C3B63 mov eax, dword ptr fs:[00000030h] 0_2_022C3B63
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C737F mov eax, dword ptr fs:[00000030h] 0_2_022C737F
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CBD70 mov eax, dword ptr fs:[00000030h] 0_2_022CBD70
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CBD8E mov eax, dword ptr fs:[00000030h] 0_2_022CBD8E
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022CBDC9 mov eax, dword ptr fs:[00000030h] 0_2_022CBDC9
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C7613 rdtsc 0_2_022C7613
Source: CI and PL of CMZBD-210090.exe, 00000000.00000002.753383733.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: CI and PL of CMZBD-210090.exe, 00000000.00000002.753383733.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: CI and PL of CMZBD-210090.exe, 00000000.00000002.753383733.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: CI and PL of CMZBD-210090.exe, 00000000.00000002.753383733.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: CI and PL of CMZBD-210090.exe, 00000000.00000002.753383733.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\CI and PL of CMZBD-210090.exe Code function: 0_2_022C75A7 cpuid 0_2_022C75A7
No contacted IP infos