Play interactive tour

Edit tour

Analysis Report eCooEFZfZJ.exe

Overview

General Information

Sample Name:	eCooEFZfZJ.exe
Analysis ID:	433075
MD5:	2db978e7cd2512c358518b1981fee079
SHA1:	22736d8d3ffe0e79cfdc0c08187bdae652d3a23c
SHA256:	9ec05fd611c2df63c12cc15df8e87e411f358b7a6747a44d4a320c01e3367ca8
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

eCooEFZfZJ.exe (PID: 5600 cmdline: 'C:\Users\user\Desktop\eCooEFZfZJ.exe' MD5: 2DB978E7CD2512C358518B1981FEE079)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://bara-seck.com/bin_sLFaSDyCig163.bin, http://benvenuti.rs/wp-content/bin_s"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.755211123.00000000021B0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.755211123.00000000021B0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://bara-seck.com/bin_sLFaSDyCig163.bin, http://benvenuti.rs/wp-content/bin_s"}

Multi AV Scanner detection for submitted file

Show sources

Source: eCooEFZfZJ.exe

Virustotal: Detection: 15%

Perma Link

Source: eCooEFZfZJ.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://bara-seck.com/bin_sLFaSDyCig163.bin, http://benvenuti.rs/wp-content/bin_s

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\eCooEFZfZJ.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6C42 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6E1D NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6E0A NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6E35 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6E29 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6E2D NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6E21 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6E41 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6E7D NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6E75 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6E99 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6E95 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6E81 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6EA1 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6EA5 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6F19 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6F1D NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6F11 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6F0D NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6F31 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6F29 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6F25 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6F7F NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6F99 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6F9D NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6F91 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6F8D NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6F85 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6FB1 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6FB5 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6FA9 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6FA5 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6C49 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6C77 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6CBA NtAllocateVirtualMemory,

Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_004063AF
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6C42
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5211
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5215
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1209
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B520D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B120D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1201
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5239
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B522D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5221
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1225
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1279
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B527D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5273
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5275
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5299
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5295
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5289
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B528D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5281
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1281
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1285
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B52B1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B12A9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B52AD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B52A1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B12A5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B52A5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B12F9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B52FD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B12F5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B12ED
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B131D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5315
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5309
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B532D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5321
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1325
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B4379
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B4375
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1368
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B136D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1399
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B139D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3388
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B33B9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B33BD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B53BD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B33B1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B53B5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B33AE
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B73D9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B53DE
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B73D2
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B33D5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B33C9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B53C9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B73C8
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B53CD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B33C5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B73F1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B73ED
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B73E1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B73E5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B105D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1069
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5069
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B506D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1065
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5099
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1099
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B509D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5091
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1095
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1089
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B508D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B108D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B50B1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B50A9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B50A5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B10C5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B50F9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B50FD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B50E0
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5119
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B510D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5101
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B113D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1136
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B115D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1151
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1155
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1149
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1145
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1169
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B116D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1199
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1195
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1188
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B118D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B51B9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B11B9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B11BD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B51BD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B11B1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B51B1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B51AD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B11AD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B51A2
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B51A5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B51D1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B51C9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B51C5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B11FD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B11F1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B11F5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B11EF
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B761D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5611
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7616
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B760D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B4601
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7601
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5605
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7605
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7629
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5625
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3659
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B4651
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7651
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B364D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B4645
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0679
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5679
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B567D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5671
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0675
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7675
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B566E
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3661
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3665
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B569D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5689
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5685
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B36D9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B36DD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B36D1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B36CD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B46C1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B36C1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B46C5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B36C5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B56F9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B06F5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B56ED
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B26E1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B56E4
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5705
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3751
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5755
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B374D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3741
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3745
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0779
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0775
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0769
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B076D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B476D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5791
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5795
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5789
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B57B9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B37B5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B57B5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B37A9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B57AD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B57A6
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B37C1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B57F9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B07F9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B57FD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B07FD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B57F1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B07F1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B07ED
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B07E1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B47E5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B07E5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1419
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B141D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B541D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5413
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1411
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5415
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B140D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5439
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B343F
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5435
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5429
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B542D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5421
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7425
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7459
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7455
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B344D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3441
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5441
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3479
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B747D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3471
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B4471
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7476
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B446E
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B346D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7461
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7465
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B549D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5491
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B748E
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B148D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5480
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5485
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7485
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B54B5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B54A9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B44D9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B44D5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B44CE
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B34FD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B74FD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B74F5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B74EE
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B34ED
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B34E1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B44E1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B44E5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B34E5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B551D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5511
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5515
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5509
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7509
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B750D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1501
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7501
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5500
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5505
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B453C
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5535
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5529
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B552D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5521
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3559
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B4559
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B355D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B4555
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B4549
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B454D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B4541
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B557D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B757D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B1571
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7571
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5576
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7575
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7569
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7562
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3565
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B2591
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5591
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5595
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7595
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5589
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7589
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7581
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5585
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B45A5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B35D9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B35DD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B35D1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B45D5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B45C9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B35CD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B25C7
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B45C6
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B55FA
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B45F9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B75F9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B45F2
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B75F7
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5A11
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3A09
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5A09
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3A0D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3A01
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5A05
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3A25
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0A51
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0A55
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0A49
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5A40
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7A7A
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5A70
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0A75
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0A69
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0A6D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0A99
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0A9D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0A93
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5AD9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5AD5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3ACD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5ACD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0AC1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5AED
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5AE1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5AE5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0B11
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3B0B
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0B0D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5B41
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5B79
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5B75
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5B99
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5B91
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5B8D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5B81
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5B85
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5BF5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B581A
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B381E
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5811
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5809
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5805
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3839
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3835
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3829
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B382D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3821
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5821
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0859
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B085D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3841
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5844
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B387C
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0871
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5870
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0869
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0865
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B389D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3895
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B388E
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B38B9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B38B5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B38A9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B38AD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B38A1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B58D9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B08DD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B08D1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B58D5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B08D5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B58C9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B38CD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B58CD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B38C1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B58C1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B38C5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B38F9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B38FD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B08F5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B38F4
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B08E9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B08ED
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B58E1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B08E1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B58E5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3911
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0916
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3915
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3909
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3905
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B095D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021BA953
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5979
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3979
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B397D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5972
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3971
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5969
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0969
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B396D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B096D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5961
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0961
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3991
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5991
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3995
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3989
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B598D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5981
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5985
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B3985
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B69B9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B69B5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B69AD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B69A6
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B09DD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B69DC
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B09D1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B09D5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B09C9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B69C1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B69C5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B39FB
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B59F9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B59FD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B59F1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B09E1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5E2D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6E2D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5E27
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5E51
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B2E4F
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6E41
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5E45
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5E9E
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5EB9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5EB5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5EA9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5EA1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6EA5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5ED9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0EF9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0EF5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0EE9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0EED
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0EE1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0F1B
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0F01
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0F39
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0F35
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0F5D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0F51
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0F55
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0F61
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0FDD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0FD1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5FFD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0FF1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0FF5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0FE9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B0FE5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5C19
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5C0D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5C01
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5C21
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5C25
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5C46
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6C77
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B5C6F

Source: eCooEFZfZJ.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: eCooEFZfZJ.exe, 00000000.00000000.227779697.0000000000430000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePerspektivls4.exe vs eCooEFZfZJ.exe
Source: eCooEFZfZJ.exe, 00000000.00000002.755015651.00000000020C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs eCooEFZfZJ.exe
Source: eCooEFZfZJ.exe	Binary or memory string: OriginalFilenamePerspektivls4.exe vs eCooEFZfZJ.exe

Source: eCooEFZfZJ.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal88.rans.troj.evad.winEXE@1/0@0/0

Source: eCooEFZfZJ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\eCooEFZfZJ.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\eCooEFZfZJ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: eCooEFZfZJ.exe

Virustotal: Detection: 15%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.755211123.00000000021B0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_0040CC6F push es; ret
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_0040CD0D push es; ret
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_00409133 push es; ret
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_0040CD36 push es; ret
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_004071C4 push es; ret
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_0040ADE0 push es; ret
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_00402DE4 push dword ptr [ebp-1Ch]; ret
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_0040C1E7 push es; ret
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_0040C1F2 push es; retf
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_00409199 push es; ret
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_00408A53 push es; ret
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_0040AE61 push es; ret
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6C42 push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B723A push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7259 push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7252 push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7249 push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7241 push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B827F push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7261 push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B8299 push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B8292 push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B72B3 push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B82AD push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B82A5 push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B72D9 push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B72D5 push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B82D4 push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B733A push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7349 push esi; iretd
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B734D push esi; iretd

Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B73D9
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B73D2
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B73C8
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B73F1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B73ED
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B73E1
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B73E5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B761D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7616
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B760D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7601
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7605
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7629
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7675
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7425
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7459
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7455
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B747D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7476
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7461
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7465
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B748E
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7485
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B74FD
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B74F5
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B74EE
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B750D
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7501
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7571
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7575
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7569
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7562
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7595
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B7589
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021BA953

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\eCooEFZfZJ.exe

RDTSC instruction interceptor: First address: 00000000021B9ADF second address: 00000000021B9ADF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b add edx, ebx 0x0000000d xor edx, E6D43193h 0x00000013 add esi, 02h 0x00000016 cmp word ptr [esi], 0000h 0x0000001a jne 00007FA8A0F1C80Ah 0x0000001c mov ebx, edx 0x0000001e shl edx, 05h 0x00000021 add edx, ebx 0x00000023 movzx ebx, byte ptr [esi] 0x00000026 jmp 00007FA8A0F1C8AEh 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc

Source: C:\Users\user\Desktop\eCooEFZfZJ.exe

Code function: 0_2_00407096 rdtsc

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\eCooEFZfZJ.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\eCooEFZfZJ.exe

Code function: 0_2_00407096 rdtsc

Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B9059 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B44D9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B44D5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B44CE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B453C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B4549 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B454D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B4541 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B45A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B387C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B6862 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021B9916 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\eCooEFZfZJ.exe	Code function: 0_2_021BA953 mov eax, dword ptr fs:[00000030h]

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: eCooEFZfZJ.exe, 00000000.00000002.754732099.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: eCooEFZfZJ.exe, 00000000.00000002.754732099.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: eCooEFZfZJ.exe, 00000000.00000002.754732099.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: eCooEFZfZJ.exe, 00000000.00000002.754732099.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\eCooEFZfZJ.exe

Code function: 0_2_00403FEC GetSystemTime,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Security Software Discovery31	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery22	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
eCooEFZfZJ.exe	16%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://bara-seck.com/bin_sLFaSDyCig163.bin, http://benvenuti.rs/wp-content/bin_s	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bara-seck.com/bin_sLFaSDyCig163.bin, http://benvenuti.rs/wp-content/bin_s	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433075
Start date:	11.06.2021
Start time:	08:53:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 44s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	eCooEFZfZJ.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 6.9% (good quality ratio 0.9%) Quality average: 7% Quality standard deviation: 20%
HCA Information:	Successful, ratio: 56% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.829117662846915
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	eCooEFZfZJ.exe
File size:	196608
MD5:	2db978e7cd2512c358518b1981fee079
SHA1:	22736d8d3ffe0e79cfdc0c08187bdae652d3a23c
SHA256:	9ec05fd611c2df63c12cc15df8e87e411f358b7a6747a44d4a320c01e3367ca8
SHA512:	5997658234b2c8a07838610c82085838b02bc9b548b6fb22414bf278b0cd23643336346ebf4cc654c230dc36f90397750e199574ad090f30e496db6a4fd8540f
SSDEEP:	1536:WNwYHz6OVtodLOhD0rd7NOG9jwvEJdx+hE+1nvK+LDWiYmGPeR2pB/uA0sicOnyQ:cH6OVt2LvdpJnJiv1CKWy8p4ALipl5Z
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....N.Z.....................0......0.............@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401f30
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5A004E93 [Mon Nov 6 11:59:15 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	51114cc98630aad2088aa48f6e7a2e19

Entrypoint Preview

Instruction
push 0040228Ch
call 00007FA8A0F821E3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+1Dh], bl
push cs
int 8Bh
lodsb
xor byte ptr [edx-60h], al
cld
push cs
int 76h
push FFFFFFCFh
adc eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+6Ah], dl
add eax, 41505303h
inc edi
dec eax
inc ebp
push esp
push esp
dec ecx
add byte ptr [ecx+00h], al
and byte ptr [eax], cl
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
punpckhdq mm0, qword ptr [edi+554ED9F9h]
mov eax, 11769743h
pop esp
out DFh, eax
jmp 00007FA84881841Bh
dec ebx
das

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2caf4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x30000	0x950	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x198	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c16c	0x2d000	False	0.311729600694	data	6.01771014226	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x2e000	0x12ac	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x30000	0x950	0x1000	False	0.172119140625	data	2.02186622034	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x30820	0x130	data
RT_ICON	0x30538	0x2e8	data
RT_ICON	0x30410	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x303e0	0x30	data
RT_VERSION	0x30150	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaRecDestruct, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaRecDestructAnsi, _CIatan, __vbaStrMove, __vbaCastObj, __vbaAryCopy, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Perspektivls4
FileVersion	1.00
CompanyName	Property
Comments	Property
ProductName	Property
ProductVersion	1.00
FileDescription	Property
OriginalFilename	Perspektivls4.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: eCooEFZfZJ.exe PID: 5600 Parent PID: 5728

General

Start time:	08:54:00
Start date:	11/06/2021
Path:	C:\Users\user\Desktop\eCooEFZfZJ.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\eCooEFZfZJ.exe'
Imagebase:	0x400000
File size:	196608 bytes
MD5 hash:	2DB978E7CD2512C358518B1981FEE079
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.755211123.00000000021B0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report eCooEFZfZJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

System Behavior

Analysis Process: eCooEFZfZJ.exe PID: 5600 Parent PID: 5728

General

Disassembly

Code Analysis