Windows Analysis Report OFFER-8768777765554-PDF.exe

Overview

General Information

Sample Name:	OFFER-8768777765554-PDF.exe
Analysis ID:	435174
MD5:	dd34ccb897fa3b88af6d3da17b713b3a
SHA1:	01f5eebafc304ec00e25c2c52751cc24d05dd8c9
SHA256:	709cc1b84208f4dd7f541a50772c7888f704561866eccd4b1aee0e1ba6e3ac74
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

Found large amount of non-executed APIs

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: OFFER-8768777765554-PDF.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=51D628A65732BF05&resid=51D628A65732BF05%21161&authkey=ABg4zwujoOrC4rM, https://onedrive.live.com/download?cid=CC6C941704A208C4&resid=CC6C941704"}

Multi AV Scanner detection for submitted file

Source: OFFER-8768777765554-PDF.exe

Virustotal: Detection: 13%

Perma Link

Compliance:

Uses 32bit PE files

Source: OFFER-8768777765554-PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://onedrive.live.com/download?cid=51D628A65732BF05&resid=51D628A65732BF05%21161&authkey=ABg4zwujoOrC4rM, https://onedrive.live.com/download?cid=CC6C941704A208C4&resid=CC6C941704

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577399025.00000000006AA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E5A9F NtAllocateVirtualMemory,	0_2_022E5A9F
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E574E NtAllocateVirtualMemory,	0_2_022E574E
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E5B47 NtAllocateVirtualMemory,	0_2_022E5B47
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E5BB0 NtAllocateVirtualMemory,	0_2_022E5BB0
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E5B93 NtAllocateVirtualMemory,	0_2_022E5B93

Detected potential crypto function

Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_0040DCBE	0_2_0040DCBE
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E5A9F	0_2_022E5A9F
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E3E2B	0_2_022E3E2B
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E8233	0_2_022E8233
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E761E	0_2_022E761E
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E1212	0_2_022E1212
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E0E6B	0_2_022E0E6B
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E96A1	0_2_022E96A1
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E3E87	0_2_022E3E87
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E8A98	0_2_022E8A98
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E06C4	0_2_022E06C4
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E12D5	0_2_022E12D5
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E3F3D	0_2_022E3F3D
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E230E	0_2_022E230E
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E2F1B	0_2_022E2F1B
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E574E	0_2_022E574E
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E374B	0_2_022E374B
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E5B47	0_2_022E5B47
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E2751	0_2_022E2751
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E2F8B	0_2_022E2F8B
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E3783	0_2_022E3783
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E3F95	0_2_022E3F95
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E2BC4	0_2_022E2BC4
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E1BC1	0_2_022E1BC1
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E283B	0_2_022E283B
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E0000	0_2_022E0000
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E587C	0_2_022E587C
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E1043	0_2_022E1043
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E2C56	0_2_022E2C56
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E4055	0_2_022E4055
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E8C53	0_2_022E8C53
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E40AD	0_2_022E40AD
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E10AB	0_2_022E10AB
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E2CA3	0_2_022E2CA3
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E4CBC	0_2_022E4CBC
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E6089	0_2_022E6089
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E8C91	0_2_022E8C91
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E10CD	0_2_022E10CD
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E292F	0_2_022E292F
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E0D25	0_2_022E0D25
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E4523	0_2_022E4523
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E211D	0_2_022E211D
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E0D6D	0_2_022E0D6D
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E1167	0_2_022E1167
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E2564	0_2_022E2564
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E2944	0_2_022E2944
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E11A7	0_2_022E11A7
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E05BE	0_2_022E05BE
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E4D89	0_2_022E4D89
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E11E3	0_2_022E11E3
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E3DE3	0_2_022E3DE3
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E29FF	0_2_022E29FF

PE file contains strange resources

Source: OFFER-8768777765554-PDF.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: OFFER-8768777765554-PDF.exe, 00000000.00000000.194465860.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStemmeskred7.exe vs OFFER-8768777765554-PDF.exe
Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577492034.00000000021C0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStemmeskred7.exeFE2Xe vs OFFER-8768777765554-PDF.exe
Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577518185.00000000022D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs OFFER-8768777765554-PDF.exe
Source: OFFER-8768777765554-PDF.exe	Binary or memory string: OriginalFilenameStemmeskred7.exe vs OFFER-8768777765554-PDF.exe

Uses 32bit PE files

Source: OFFER-8768777765554-PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe

File created: C:\Users\user\AppData\Local\Temp\~DF5C597FFB7E664D03.TMP

Jump to behavior

Source: OFFER-8768777765554-PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OFFER-8768777765554-PDF.exe

Virustotal: Detection: 13%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: OFFER-8768777765554-PDF.exe, type: SAMPLE
Source: Yara match	File source: 0.0.OFFER-8768777765554-PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OFFER-8768777765554-PDF.exe.400000.0.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_0040506F pushfd ; retf	0_2_0040508C
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_00408090 push BAD2BC25h; retf	0_2_004080B9
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_00404D00 push ds; ret	0_2_00404D0F
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_00405535 push cs; ret	0_2_00405553
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_00408D99 push cs; ret	0_2_00408DA3
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_00404206 push ebp; ret	0_2_00404207
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_00407E0B push ds; retf	0_2_00407E0D
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_00404A19 push edx; iretd	0_2_00404A53
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_00405619 push es; ret	0_2_0040561F
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E8D5B push eax; ret	0_2_022E8D63

Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E8A98	0_2_022E8A98
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E8C53	0_2_022E8C53
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E6089	0_2_022E6089
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E8C91	0_2_022E8C91
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E05BE	0_2_022E05BE

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	RDTSC instruction interceptor: First address: 00000000022E012B second address: 00000000022E012B instructions:
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	RDTSC instruction interceptor: First address: 00000000022E0392 second address: 00000000022E0392 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	RDTSC instruction interceptor: First address: 00000000022E012B second address: 00000000022E012B instructions:
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	RDTSC instruction interceptor: First address: 00000000022E0392 second address: 00000000022E0392 instructions:
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	RDTSC instruction interceptor: First address: 00000000022E548D second address: 00000000022E548D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8513714Ah 0x00000007 sub eax, BC31FDEAh 0x0000000c sub eax, D99E02B9h 0x00000011 add eax, 10BC8F5Ah 0x00000016 cpuid 0x00000018 popad 0x00000019 jmp 00007FF5107330C6h 0x0000001b cmp ax, 0000AF66h 0x0000001f call 00007FF5107330D7h 0x00000024 lfence 0x00000027 mov edx, 0ACECDC1h 0x0000002c xor edx, 9CCC939Eh 0x00000032 add edx, 5020915Ah 0x00000038 xor edx, 99DCEFADh 0x0000003e mov edx, dword ptr [edx] 0x00000040 lfence 0x00000043 ret 0x00000044 sub edx, esi 0x00000046 ret 0x00000047 pop ecx 0x00000048 jmp 00007FF5107330C2h 0x0000004a cmp edx, ecx 0x0000004c add edi, edx 0x0000004e test dl, cl 0x00000050 dec ecx 0x00000051 cmp ecx, 00000000h 0x00000054 jne 00007FF51073307Dh 0x00000056 mov dword ptr [ebp+00000200h], esi 0x0000005c mov esi, ecx 0x0000005e push esi 0x0000005f mov esi, dword ptr [ebp+00000200h] 0x00000065 cmp ch, bh 0x00000067 call 00007FF5107330F6h 0x0000006c call 00007FF510733112h 0x00000071 lfence 0x00000074 mov edx, 0ACECDC1h 0x00000079 xor edx, 9CCC939Eh 0x0000007f add edx, 5020915Ah 0x00000085 xor edx, 99DCEFADh 0x0000008b mov edx, dword ptr [edx] 0x0000008d lfence 0x00000090 ret 0x00000091 mov esi, edx 0x00000093 pushad 0x00000094 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe

Code function: 0_2_022E3E2B rdtsc

0_2_022E3E2B

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe

API coverage: 8.5 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe

Code function: 0_2_022E3E2B rdtsc

0_2_022E3E2B

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E8A98 mov eax, dword ptr fs:[00000030h]	0_2_022E8A98
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E536F mov eax, dword ptr fs:[00000030h]	0_2_022E536F
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E374B mov eax, dword ptr fs:[00000030h]	0_2_022E374B
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E3783 mov eax, dword ptr fs:[00000030h]	0_2_022E3783
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E2BC4 mov eax, dword ptr fs:[00000030h]	0_2_022E2BC4
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E7C09 mov eax, dword ptr fs:[00000030h]	0_2_022E7C09
Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe	Code function: 0_2_022E811C mov eax, dword ptr fs:[00000030h]	0_2_022E811C

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577434686.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577434686.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577434686.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: OFFER-8768777765554-PDF.exe, 00000000.00000002.577434686.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\OFFER-8768777765554-PDF.exe

Code function: 0_2_022E1453 cpuid

0_2_022E1453

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?cid=51D628A65732BF05&resid=51D628A65732BF05%21161&authkey=ABg4zwujoOrC4rM, https://onedrive.live.com/download?cid=CC6C941704A208C4&resid=CC6C941704	false		high

ID:	435174
Product:	CloudBasic
Start time:	05:32:24
Start date:	16.06.2021
Sample:	OFFER-8768777765554-PDF.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	dd34ccb897fa3b88af6d3da17b713b3a
SHA1:	01f5eebafc304ec00e25c2c52751cc24d05dd8c9
SHA256:	709cc1b84208f4dd7f541a50772c7888f704561866eccd4b1aee0e1ba6e3ac74
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report OFFER-8768777765554-PDF.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted URLs