Source: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=d_"} |
Source: RFQ_TZDQP2110257921.exe |
ReversingLabs: Detection: 13% |
Source: RFQ_TZDQP2110257921.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: https://drive.google.com/uc?export=d_ |
Source: RFQ_TZDQP2110257921.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5DAC8 NtAllocateVirtualMemory, |
0_2_02B5DAC8 |
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1179974594.0000000000421000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameForlornity.exe vs RFQ_TZDQP2110257921.exe |
Source: RFQ_TZDQP2110257921.exe |
Binary or memory string: OriginalFilenameForlornity.exe vs RFQ_TZDQP2110257921.exe |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040153A |
0_2_0040153A |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_00401776 |
0_2_00401776 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_00401729 |
0_2_00401729 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5DAC8 |
0_2_02B5DAC8 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B66BC4 |
0_2_02B66BC4 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5B2CF |
0_2_02B5B2CF |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5B236 |
0_2_02B5B236 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5B3F9 |
0_2_02B5B3F9 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5B0FE |
0_2_02B5B0FE |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B6502F |
0_2_02B6502F |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5A1AB |
0_2_02B5A1AB |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5E1FB |
0_2_02B5E1FB |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5F1D5 |
0_2_02B5F1D5 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5B6B2 |
0_2_02B5B6B2 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5A6CE |
0_2_02B5A6CE |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5B608 |
0_2_02B5B608 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5A4C9 |
0_2_02B5A4C9 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5A464 |
0_2_02B5A464 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5A58F |
0_2_02B5A58F |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5B537 |
0_2_02B5B537 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B64A9C |
0_2_02B64A9C |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5AAF9 |
0_2_02B5AAF9 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5AAD3 |
0_2_02B5AAD3 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5AB45 |
0_2_02B5AB45 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B599FD |
0_2_02B599FD |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5AEF7 |
0_2_02B5AEF7 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B63ECA |
0_2_02B63ECA |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5AE6A |
0_2_02B5AE6A |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5AFC2 |
0_2_02B5AFC2 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B56CB7 |
0_2_02B56CB7 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B56CCC |
0_2_02B56CCC |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B56C30 |
0_2_02B56C30 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B62C28 |
0_2_02B62C28 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5AD9F |
0_2_02B5AD9F |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5AD46 |
0_2_02B5AD46 |
Source: RFQ_TZDQP2110257921.exe |
ReversingLabs: Detection: 13% |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
File created: C:\Users\user\AppData\Local\Temp\~DF87EDA8D7970694A0.TMP |
Jump to behavior |
Source: RFQ_TZDQP2110257921.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal72.troj.evad.winEXE@1/1@0/0 |
Source: Yara match |
File source: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0041080B push CFB82872h; iretd |
0_2_00410813 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040D0A1 push 223B155Fh; retf |
0_2_0040D096 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040A954 push 00000079h; ret |
0_2_0040A956 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_00407242 push eax; retf |
0_2_00407351 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_00414248 push ss; iretd |
0_2_00414303 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_00407257 push eax; retf |
0_2_00407351 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040AA76 push ecx; retf |
0_2_0040AA82 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040721B push eax; retf |
0_2_00407351 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_00404A2C push ebx; iretd |
0_2_00404A34 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040A2F8 push edx; ret |
0_2_0040A2F9 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040F2FE push 0000002Eh; iretd |
0_2_0040F3F7 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040E2B4 push ss; iretd |
0_2_0040E366 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_00407357 push eax; retf |
0_2_00407351 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040F32E push 0000002Eh; iretd |
0_2_0040F3F7 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_004113CA push esi; ret |
0_2_004113CB |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_004173D8 push ss; iretd |
0_2_00417496 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040739E push eax; retf |
0_2_00407351 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_004173AE push ss; iretd |
0_2_00417496 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040CC41 push 00000043h; retf |
0_2_0040CC4D |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040FC62 push ss; iretd |
0_2_0040FD26 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040AC38 push FBEE8E6Ah; ret |
0_2_0040AC42 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040FC3E push ss; iretd |
0_2_0040FD26 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_00417498 push ss; iretd |
0_2_00417496 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040CCB7 push ebx; retf |
0_2_0040CCDF |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040FD27 pushfd ; iretd |
0_2_0040FD2B |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_00416D28 push cs; iretd |
0_2_00416D2F |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040FD3A push ss; iretd |
0_2_0040FD26 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_00414662 push FFFFFFDBh; iretd |
0_2_00414666 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040B6FB push edx; iretd |
0_2_0040B808 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0041676A push edx; iretd |
0_2_0041686B |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_0040B7EA push edx; iretd |
0_2_0040B808 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B63BCE rdtsc |
0_2_02B63BCE |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B6225D mov eax, dword ptr fs:[00000030h] |
0_2_02B6225D |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B6502F mov eax, dword ptr fs:[00000030h] |
0_2_02B6502F |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B5D1B5 mov eax, dword ptr fs:[00000030h] |
0_2_02B5D1B5 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B62F6B mov eax, dword ptr fs:[00000030h] |
0_2_02B62F6B |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B63BCE rdtsc |
0_2_02B63BCE |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe |
Code function: 0_2_02B66BC4 RtlAddVectoredExceptionHandler, |
0_2_02B66BC4 |
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |