{"Payload URL": "https://drive.google.com/uc?export=d_"}
Source: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=d_"} |
Source: RFQ_TZDQP2110257921.exe | ReversingLabs: Detection: 13% |
Source: RFQ_TZDQP2110257921.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor | URLs: https://drive.google.com/uc?export=d_ |
Source: RFQ_TZDQP2110257921.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5DAC8 NtAllocateVirtualMemory, |
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1179974594.0000000000421000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameForlornity.exe vs RFQ_TZDQP2110257921.exe |
Source: RFQ_TZDQP2110257921.exe | Binary or memory string: OriginalFilenameForlornity.exe vs RFQ_TZDQP2110257921.exe |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040153A |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_00401776 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_00401729 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5DAC8 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B66BC4 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5B2CF |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5B236 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5B3F9 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5B0FE |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B6502F |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5A1AB |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5E1FB |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5F1D5 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5B6B2 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5A6CE |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5B608 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5A4C9 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5A464 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5A58F |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5B537 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B64A9C |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5AAF9 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5AAD3 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5AB45 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B599FD |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5AEF7 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B63ECA |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5AE6A |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5AFC2 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B56CB7 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B56CCC |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B56C30 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B62C28 |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5AD9F |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5AD46 |
Source: RFQ_TZDQP2110257921.exe | ReversingLabs: Detection: 13% |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | File created: C:\Users\user\AppData\Local\Temp\~DF87EDA8D7970694A0.TMP | Jump to behavior |
Source: RFQ_TZDQP2110257921.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Source: classification engine | Classification label: mal72.troj.evad.winEXE@1/1@0/0 |
Source: Yara match | File source: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0041080B push CFB82872h; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040D0A1 push 223B155Fh; retf |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040A954 push 00000079h; ret |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_00407242 push eax; retf |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_00414248 push ss; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_00407257 push eax; retf |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040AA76 push ecx; retf |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040721B push eax; retf |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_00404A2C push ebx; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040A2F8 push edx; ret |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040F2FE push 0000002Eh; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040E2B4 push ss; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_00407357 push eax; retf |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040F32E push 0000002Eh; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_004113CA push esi; ret |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_004173D8 push ss; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040739E push eax; retf |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_004173AE push ss; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040CC41 push 00000043h; retf |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040FC62 push ss; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040AC38 push FBEE8E6Ah; ret |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040FC3E push ss; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_00417498 push ss; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040CCB7 push ebx; retf |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040FD27 pushfd ; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_00416D28 push cs; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040FD3A push ss; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_00414662 push FFFFFFDBh; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040B6FB push edx; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0041676A push edx; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_0040B7EA push edx; iretd |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Process information set: NOOPENFILEERRORBOX |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B63BCE rdtsc |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B6225D mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B6502F mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B5D1B5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B62F6B mov eax, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B63BCE rdtsc |
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe | Code function: 0_2_02B66BC4 RtlAddVectoredExceptionHandler, |
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.