Loading ...

Play interactive tourEdit tour

Windows Analysis Report nZdwtTEYoW.exe

Overview

General Information

Sample Name:nZdwtTEYoW.exe
Analysis ID:451394
MD5:c8feb9d53b567cd1bfb0e59cf7d26bc2
SHA1:82a22cb59d46bae21fa4877015e163eacc04a022
SHA256:642a0df15a9b8e3124d638e755f0bdbacd0d1c3ff01b59b36213a190a5e5645a
Tags:exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • nZdwtTEYoW.exe (PID: 4536 cmdline: 'C:\Users\user\Desktop\nZdwtTEYoW.exe' MD5: C8FEB9D53B567CD1BFB0E59CF7D26BC2)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1OPtVT-x7\"[OfT"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1OPtVT-x7\"[OfT"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: nZdwtTEYoW.exeVirustotal: Detection: 25%Perma Link
    Source: nZdwtTEYoW.exeReversingLabs: Detection: 13%
    Machine Learning detection for sampleShow sources
    Source: nZdwtTEYoW.exeJoe Sandbox ML: detected
    Source: nZdwtTEYoW.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1OPtVT-x7"[OfT
    Source: nZdwtTEYoW.exe, 00000000.00000002.761919156.000000000064A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022155D9 NtAllocateVirtualMemory,0_2_022155D9
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022157A7 NtAllocateVirtualMemory,0_2_022157A7
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_004011280_2_00401128
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022155D90_2_022155D9
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022142330_2_02214233
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022112620_2_02211262
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022122A30_2_022122A3
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022182CB0_2_022182CB
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221330A0_2_0221330A
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022130630_2_02213063
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022120EB0_2_022120EB
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022179230_2_02217923
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022121140_2_02212114
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022139170_2_02213917
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022181670_2_02218167
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022109740_2_02210974
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022109EF0_2_022109EF
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022126CF0_2_022126CF
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216F7F0_2_02216F7F
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221379D0_2_0221379D
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02210F9F0_2_02210F9F
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02210FFE0_2_02210FFE
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022137D80_2_022137D8
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02210CA70_2_02210CA7
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022154BA0_2_022154BA
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02211CBD0_2_02211CBD
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022134EA0_2_022134EA
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022125310_2_02212531
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022185010_2_02218501
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221854C0_2_0221854C
    Source: nZdwtTEYoW.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: nZdwtTEYoW.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: nZdwtTEYoW.exe, 00000000.00000000.234126028.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCALICOES.exe vs nZdwtTEYoW.exe
    Source: nZdwtTEYoW.exe, 00000000.00000002.762332668.00000000021E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs nZdwtTEYoW.exe
    Source: nZdwtTEYoW.exeBinary or memory string: OriginalFilenameCALICOES.exe vs nZdwtTEYoW.exe
    Source: nZdwtTEYoW.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal88.troj.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeFile created: C:\Users\user\AppData\Local\Temp\~DFCCD223C299E0DF5D.TMPJump to behavior
    Source: nZdwtTEYoW.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: nZdwtTEYoW.exeVirustotal: Detection: 25%
    Source: nZdwtTEYoW.exeReversingLabs: Detection: 13%

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_00401128 push esi; retn 4D4Dh0_2_0040263F
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_00404916 push 00000014h; ret 0_2_00404938
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216A23 push ebx; iretd 0_2_02216A2E
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02218223 push ebx; iretd 0_2_0221822E
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02214227 push ebx; iretd 0_2_02214232
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221222B push ebx; iretd 0_2_02212236
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216A2F push ebx; iretd 0_2_02216A3A
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221822F push ebx; iretd 0_2_0221823A
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02212237 push ebx; iretd 0_2_02212242
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216A3B push ebx; iretd 0_2_02216A46
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221823B push ebx; iretd 0_2_02218246
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02214203 push ebx; iretd 0_2_0221420E
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02212207 push ebx; iretd 0_2_02212212
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216A0B push ebx; iretd 0_2_02216A16
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221820B push ebx; iretd 0_2_02218216
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221420F push ebx; iretd 0_2_0221421A
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02212213 push ebx; iretd 0_2_0221221E
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216A17 push ebx; iretd 0_2_02216A22
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02218217 push ebx; iretd 0_2_02218222
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221421B push ebx; iretd 0_2_02214226
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221221F push ebx; iretd 0_2_0221222A
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02212267 push ebx; iretd 0_2_02212272
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02218A67 push ebx; iretd 0_2_02218A72
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216A6B push ebx; iretd 0_2_02216A76
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221826B push ebx; iretd 0_2_02218276
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02212A6F push ebx; iretd 0_2_02212A7A
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02212273 push ebx; iretd 0_2_0221227E
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02218A73 push ebx; iretd 0_2_02218A7E
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216A77 push ebx; iretd 0_2_02216A82
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02218277 push ebx; iretd 0_2_02218282
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02212A7B push ebx; iretd 0_2_02212A86
    Source: initial sampleStatic PE information: section name: .text entropy: 6.90665747983
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02213917 0_2_02213917
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02218167 0_2_02218167
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02216F7F 0_2_02216F7F
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221379D 0_2_0221379D
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_022137D8 0_2_022137D8
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeRDTSC instruction interceptor: First address: 000000000221928F second address: 000000000221928F instructions:
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeRDTSC instruction interceptor: First address: 0000000002219277 second address: 000000000221928F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor ecx, AF55D2FDh 0x00000009 mov dword ptr [edi+ecx], eax 0x0000000c mov ecx, C83BC8F2h 0x00000011 xor ecx, 51282A31h 0x00000017 pushad 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeRDTSC instruction interceptor: First address: 000000000221928F second address: 000000000221928F instructions:
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02215223 rdtsc 0_2_02215223
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02215223 rdtsc 0_2_02215223
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_0221732C mov eax, dword ptr fs:[00000030h]0_2_0221732C
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02213063 mov eax, dword ptr fs:[00000030h]0_2_02213063
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02218167 mov eax, dword ptr fs:[00000030h]0_2_02218167
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02214E17 mov eax, dword ptr fs:[00000030h]0_2_02214E17
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02217730 mov eax, dword ptr fs:[00000030h]0_2_02217730
    Source: C:\Users\user\Desktop\nZdwtTEYoW.exeCode function: 0_2_02212531 mov eax, dword ptr fs:[00000030h]0_2_02212531
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
    Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
    Source: nZdwtTEYoW.exe, 00000000.00000002.762104932.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery41Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery31Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    nZdwtTEYoW.exe25%VirustotalBrowse
    nZdwtTEYoW.exe13%ReversingLabsWin32.Trojan.Vebzenpak
    nZdwtTEYoW.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:33.0.0 White Diamond
    Analysis ID:451394
    Start date:20.07.2021
    Start time:15:49:08
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 48s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:nZdwtTEYoW.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:26
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal88.troj.evad.winEXE@1/0@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.4666127843418355
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:nZdwtTEYoW.exe
    File size:118784
    MD5:c8feb9d53b567cd1bfb0e59cf7d26bc2
    SHA1:82a22cb59d46bae21fa4877015e163eacc04a022
    SHA256:642a0df15a9b8e3124d638e755f0bdbacd0d1c3ff01b59b36213a190a5e5645a
    SHA512:da707134a7bfdcb66389f111bb363d1e7b7260bb718d6ae999a23fc538e2065d8be766a713d8d20860e835eb21609bbbcb0d0b6c237124fa38bd2ada04acf157
    SSDEEP:1536:/bjX1R6rHR+Gz6YsFdVfKcLe0NMDfuoFVHYGokXYtvcOOfgrJZ+R6rHJXdb:jjX1yH1HErzwmoFtoZtkJgrCyHJXd
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....!.Q.................@..........(........P....@................

    File Icon

    Icon Hash:b29a4a4a5a4a4a45

    Static PE Info

    General

    Entrypoint:0x401128
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x510121E6 [Thu Jan 24 11:58:30 2013 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:5c4d602843f54570889588b32f7af650

    Entrypoint Preview

    Instruction
    push 00407B98h
    call 00007FD7D0F25435h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    cmp byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    lds esp, fword ptr [ecx-6Ch]
    movsb
    adc ch, byte ptr [edx+19h]
    dec ebx
    mov bh, byte ptr [ecx-56DB9884h]
    hlt
    add dword ptr [eax], 00000000h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add dword ptr [eax], eax
    add byte ptr [eax], al
    inc edx
    add byte ptr [esi], al
    push eax
    add dword ptr [ecx], 55h
    dec esi
    inc edx
    inc ebp
    dec esp
    push esp
    add byte ptr [edx], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    dec esp
    xor dword ptr [eax], eax
    pop es
    xchg byte ptr [esi+5DD8F6A1h], cl
    xor al, byte ptr [eax-6Bh]
    jle 00007FD7D0F25484h
    mov esp, FCF62DCCh
    in al, dx
    cmp byte ptr [edi], 0000006Bh
    mov bl, D2h
    dec edx
    mov ecx, 88920A1Fh
    pop esp
    jle 00007FD7D0F2547Ch
    dec edi
    lodsd
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    into
    imul eax, dword ptr [eax], 0068A700h
    add byte ptr [eax], al
    or byte ptr [eax], al
    dec esp
    inc ecx
    dec esi
    inc esp
    dec esp
    dec edi
    inc ebx
    dec ebx
    add byte ptr [42001001h], cl
    push edx
    dec edi
    dec esp
    inc edi
    inc edi
    inc ebp
    push edx
    dec edx
    dec edi
    dec ebp
    inc esi
    push edx
    push ebp

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x14b440x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x170000x6d6a.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x74.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x13d900x14000False0.640209960938data6.90665747983IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x150000x115c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x170000x6d6a0x7000False0.566301618304data5.78429982153IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x1cec20xea8data
    RT_ICON0x1c61a0x8a8data
    RT_ICON0x1bf520x6c8data
    RT_ICON0x1b9ea0x568GLS_BINARY_LSB_FIRST
    RT_ICON0x194420x25a8data
    RT_ICON0x1839a0x10a8data
    RT_ICON0x17a120x988data
    RT_ICON0x175aa0x468GLS_BINARY_LSB_FIRST
    RT_GROUP_ICON0x175340x76data
    RT_VERSION0x172400x2f4dataMalteseMalta

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, _adj_fdiv_m64, _adj_fprem1, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp

    Version Infos

    DescriptionData
    Translation0x043a 0x04b0
    LegalCopyrightSchoology
    InternalNameCALICOES
    FileVersion1.00
    CompanyNameSchoology
    LegalTrademarksSchoology
    CommentsSchoology
    ProductNameSchoology
    ProductVersion1.00
    FileDescriptionSchoology
    OriginalFilenameCALICOES.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    MalteseMalta

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Start time:15:50:01
    Start date:20/07/2021
    Path:C:\Users\user\Desktop\nZdwtTEYoW.exe
    Wow64 process (32bit):true
    Commandline:'C:\Users\user\Desktop\nZdwtTEYoW.exe'
    Imagebase:0x400000
    File size:118784 bytes
    MD5 hash:C8FEB9D53B567CD1BFB0E59CF7D26BC2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >

      Executed Functions

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.761479907.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.761465033.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.761542229.0000000000415000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.761556615.0000000000417000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: #100
      • String ID: 1%nB$VB5!6&*$q
      • API String ID: 1341478452-1418848133
      • Opcode ID: 0bb2582355f795bb24e430a3c1cb97c7a51ba9a4cd9eece23b16decd8ea0fbc3
      • Instruction ID: d91c6dda3393b829e1e0181ca1c959403ab251d6e7d627793f2febcae7cdbe5c
      • Opcode Fuzzy Hash: 0bb2582355f795bb24e430a3c1cb97c7a51ba9a4cd9eece23b16decd8ea0fbc3
      • Instruction Fuzzy Hash: 7D5236614097C05EC70B4A348E2D2567F72AAA336679905FBC481BF1F3D1BE4886C76D
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • NtAllocateVirtualMemory.NTDLL ref: 02215831
      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID:
      • API String ID: 2167126740-0
      • Opcode ID: 9f91272f6e657931e931bc11078f44329d0a32fed0546ca9402c6b910abdd505
      • Instruction ID: 26818deaeee300425c2a76c229acf2ff1665de90a1e8e463249999210c553dc5
      • Opcode Fuzzy Hash: 9f91272f6e657931e931bc11078f44329d0a32fed0546ca9402c6b910abdd505
      • Instruction Fuzzy Hash: C0919C725243898FDB30DFB4CC91BDA7BE6EF99354F940099D8888B215C331C5868B52
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • NtAllocateVirtualMemory.NTDLL ref: 02215831
      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID:
      • API String ID: 2167126740-0
      • Opcode ID: 5cb0876ce9c7cf8b2980f8c56672f8649f987f5f4b06e06eac3a9bdd1736a751
      • Instruction ID: 5ea51191302b5e5f631533c1afdeafa274a1d3dd7ab1ec50d7f578ca4fcc1556
      • Opcode Fuzzy Hash: 5cb0876ce9c7cf8b2980f8c56672f8649f987f5f4b06e06eac3a9bdd1736a751
      • Instruction Fuzzy Hash: E5216972A61688DFEB70CF64DC80BD9B7E2EF99324F644519D88C9B224C7309A85CB45
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: K{:$k7DL$x )$x )
      • API String ID: 0-573531396
      • Opcode ID: cbbf0c4bff7bba9aa70f88f6d8d7e7a4481093a49bdb4e16a2b92185206b80a0
      • Instruction ID: d14001f03de6660c6e8b9a3adcdee97a3f1fe53f5d0c15be95399e712efe64a0
      • Opcode Fuzzy Hash: cbbf0c4bff7bba9aa70f88f6d8d7e7a4481093a49bdb4e16a2b92185206b80a0
      • Instruction Fuzzy Hash: 6E32F9715143C58FDB35CF38C898BDABBE2AF56360F49C29AC8998F29AD3348541C716
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: ZYa$\l9
      • API String ID: 0-2703591555
      • Opcode ID: b1a142def564d13704610064d2668329b4fc718ac94f451c10cf0608110cb812
      • Instruction ID: 160375ce263f48fd9a105fe25a0aa5c6d539a7efc9a6d0ace949e5e1b5c5caf4
      • Opcode Fuzzy Hash: b1a142def564d13704610064d2668329b4fc718ac94f451c10cf0608110cb812
      • Instruction Fuzzy Hash: 1462EA726043899FDB749F68CD95BDABBA2FF54310F41812DDC8A9B224D3719A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: ZYa$\l9
      • API String ID: 0-2703591555
      • Opcode ID: 85c739ecdf5e2649450aed2f0afb97fa872434a7ca6bbac8e0a00c5ceed23042
      • Instruction ID: e6215e0daa581c24998e5c6046861253201a3f0a11cd7f3a37c6a11ac159561b
      • Opcode Fuzzy Hash: 85c739ecdf5e2649450aed2f0afb97fa872434a7ca6bbac8e0a00c5ceed23042
      • Instruction Fuzzy Hash: 2852DB726043899FDB749F78CD95BDABBB2FF54310F524129DC8A9B214D3709A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: ZYa$\l9
      • API String ID: 0-2703591555
      • Opcode ID: 5897d5f9525e5ff67529982363bed710c20189dca9f061aac34544bf2a461cc2
      • Instruction ID: da8c9b0695ce5921aa2597c74c8db499d111963eaef03e42172b199034b16a1a
      • Opcode Fuzzy Hash: 5897d5f9525e5ff67529982363bed710c20189dca9f061aac34544bf2a461cc2
      • Instruction Fuzzy Hash: 7052DA726043899FDB749F78CD95BDABBB2FF54310F528129DC899B214C3709A81CB82
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: $w!$k7DL
      • API String ID: 0-3053937184
      • Opcode ID: ce7b4ced9cb69c0ae2d8276d44fa1b1abdd014b5bb482de5084ef2cbc1d9c1a1
      • Instruction ID: 1ddc73f24644a27dce90b810b93bcf9327d445f693f0b2514df566fffcaacc20
      • Opcode Fuzzy Hash: ce7b4ced9cb69c0ae2d8276d44fa1b1abdd014b5bb482de5084ef2cbc1d9c1a1
      • Instruction Fuzzy Hash: B632AD71A146959FDB64DF28CC90BDAB7E2FF99310F15822AEC4D9B314D730AA41CB90
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID: <$v].
      • API String ID: 2167126740-2854884050
      • Opcode ID: be7878d67aec070f92d5d86a1e4f74a9a4293870a558d9bf80648e44443528c3
      • Instruction ID: 42b70785e23319e7448fb111787abbcf1482f16072ecb2dbeb060c1d0f612d66
      • Opcode Fuzzy Hash: be7878d67aec070f92d5d86a1e4f74a9a4293870a558d9bf80648e44443528c3
      • Instruction Fuzzy Hash: 24220271A143899FDB34AF68CC94BEE77E2AFA8340F55412EDC8D9B254D7309A81CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID: <$v].
      • API String ID: 2167126740-2854884050
      • Opcode ID: 7fe7c3fa8050b8e3f3f3d4bdeb46fee88ce79b3c487b2e35c585092b65a3d3b9
      • Instruction ID: f40477e53a9a6fe679514527dcb5168ce61f8e739f5b7ac1668c290ab5e9db3d
      • Opcode Fuzzy Hash: 7fe7c3fa8050b8e3f3f3d4bdeb46fee88ce79b3c487b2e35c585092b65a3d3b9
      • Instruction Fuzzy Hash: A5F12372A143899BDF349F68CC94BEE77E2AFA9310F65402EDC4D9B218D7305A81CB51
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: <$v].
      • API String ID: 0-2854884050
      • Opcode ID: 380995033ca2d2a78ba2da5c78a896b17875eba64858888362ff1d3e385490c1
      • Instruction ID: ccff6c19edc5b45b50f82045cab5976c72fcd88f9379f131623267daa298c1e7
      • Opcode Fuzzy Hash: 380995033ca2d2a78ba2da5c78a896b17875eba64858888362ff1d3e385490c1
      • Instruction Fuzzy Hash: E9B14672A143989BDF389F64CC55BEE77B2AF99340F26441EDC8D9B214D7305A818F82
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: ZYa
      • API String ID: 0-34885360
      • Opcode ID: 478cf8f48f60a570b49276f411c99ab043c63a0e3cb50eb58cdfdc7a415b64a5
      • Instruction ID: 725f8776c59eba6bf19cb8c90e3ea66a84109e0ebb7496f80fa9a52fb55bc3f9
      • Opcode Fuzzy Hash: 478cf8f48f60a570b49276f411c99ab043c63a0e3cb50eb58cdfdc7a415b64a5
      • Instruction Fuzzy Hash: D3021DB260838A9FDB649F79C995BDABBB2FF54310F42411DDC899B210D3749A81CF42
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: $w!
      • API String ID: 0-603683437
      • Opcode ID: e324d9a4c9be31d3d070fa90b6bbe30ccf38e579462bd9735fa085e89faa0296
      • Instruction ID: a1937e0bb5d8ca63b341260a3c6ece164739bb26a617e96fa9b4c1de9c3b2887
      • Opcode Fuzzy Hash: e324d9a4c9be31d3d070fa90b6bbe30ccf38e579462bd9735fa085e89faa0296
      • Instruction Fuzzy Hash: ACC17A71A1479A9FDB68CF28CC80BDAB7E5BF98310F154229EC5C9B714D770AA50CB90
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: \l9
      • API String ID: 0-3627828189
      • Opcode ID: 7d97025c4d4862bfdad767e76500197aa9fb947aa4e679721482c0cbe57551b3
      • Instruction ID: 1f2e5b81f1aedbd36f980c65e3124e16242353d67d0ed3e1bd231b5c828fc4fd
      • Opcode Fuzzy Hash: 7d97025c4d4862bfdad767e76500197aa9fb947aa4e679721482c0cbe57551b3
      • Instruction Fuzzy Hash: F8B1A8716103899FDF759E64CDA1BDA3BA2FF68300F51412ADD8E9B224C7315A81CB46
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: Q@VF
      • API String ID: 0-1362175084
      • Opcode ID: d2537f0f5cac8d6bf64adb3c54f37ea4cd3cc62f5303651ca53f8d5a2b9fac4c
      • Instruction ID: 2d1c3f71aeaafbf0476d143202e29d2c4795f1b0b11a0560720dc48b5129b379
      • Opcode Fuzzy Hash: d2537f0f5cac8d6bf64adb3c54f37ea4cd3cc62f5303651ca53f8d5a2b9fac4c
      • Instruction Fuzzy Hash: CF71DE726142889FCB748E69CC55BDF77E6AF98300F15851EEC4DCB214D3709A81CB05
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: Q@VF
      • API String ID: 0-1362175084
      • Opcode ID: ba5ee70da5d60e3ae9ebd1fae93dc955c432bed59ca8aa0d5e785172d1cb9890
      • Instruction ID: 4686e82d364f5308cb71f8c62ef0093d2c443e6b206995014dd0e8d9748f2500
      • Opcode Fuzzy Hash: ba5ee70da5d60e3ae9ebd1fae93dc955c432bed59ca8aa0d5e785172d1cb9890
      • Instruction Fuzzy Hash: AE71DD726042889FDB788F29CC54ADFB7E6BF98340F15851EE84DCB254D7709A85CB06
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: Q@VF
      • API String ID: 0-1362175084
      • Opcode ID: 0dbdcf19282f8a6abaef3d2b8fced3dc2a864e5a07b77d20f64635a4e315b800
      • Instruction ID: aab5319d6c5e016051e243e6f1b53df2d32502785bbec1cbf42ee8b62e6920f7
      • Opcode Fuzzy Hash: 0dbdcf19282f8a6abaef3d2b8fced3dc2a864e5a07b77d20f64635a4e315b800
      • Instruction Fuzzy Hash: 4A5189726042889FDB74CF29CC54BDBBBE6AF98350F15842AEC4DCB214D730AA85CB05
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: eOu0
      • API String ID: 0-585871311
      • Opcode ID: 0487643cb0e193c6dfbc68a192f9b5d9da51906b836a91a544e3237f58f1d9e3
      • Instruction ID: 6e47ce7f9132fe3c942b98891f9c1ee5c596717be2612383abf624ea37f761b7
      • Opcode Fuzzy Hash: 0487643cb0e193c6dfbc68a192f9b5d9da51906b836a91a544e3237f58f1d9e3
      • Instruction Fuzzy Hash: E75100B6A11749DBDB74CE69C990BDB76F3AFA8B00F09012ECC4E4BA04D734A641CB45
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d1f8a5bc73ca5d1118ee654b52e20776cecf655bbd5a0b663ff036f97900bd9b
      • Instruction ID: 954c45c16bec0ac48f8bbf00b841202ffcb407e202a408c9f024375310c5f996
      • Opcode Fuzzy Hash: d1f8a5bc73ca5d1118ee654b52e20776cecf655bbd5a0b663ff036f97900bd9b
      • Instruction Fuzzy Hash: 1CB1A3615087C54FDB36CF388898BD67FE2AF56260F0EC29AC8994F2E6D3348546C716
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e570b341dbd2d183bddd43e3170f2d397914bf9c6c6587003f354dc18784ffb1
      • Instruction ID: dd0aae01af9f4b5993dc30ec8f85aef54d4cbb1b76f54dd41bb722cc44c775f1
      • Opcode Fuzzy Hash: e570b341dbd2d183bddd43e3170f2d397914bf9c6c6587003f354dc18784ffb1
      • Instruction Fuzzy Hash: 13710472614355DBDB34DE68C8A1BDAB7F2AFA4340F49412EDC4ACB648D7309A81CB91
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3a1e48a51e6f004e2d06c7405b6740208b3dc67a808fca918fe48b417bbd8576
      • Instruction ID: 1c4133d1d6b14a5ba245ebd19fb2156010f3497dd3265986cd756bc7a9613c09
      • Opcode Fuzzy Hash: 3a1e48a51e6f004e2d06c7405b6740208b3dc67a808fca918fe48b417bbd8576
      • Instruction Fuzzy Hash: 7C51EE32514380CFCB649F34C999BEAB7F2FF69340F56495CD8899B225C3309A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c39aa16d6e13dad098edb465aff7ae88dc50fa2cd1edd7031f50b26cda80aa08
      • Instruction ID: 8dca55c7a8d60e58a9f9e754b11062381cd140a420e8cad721cdc5be92856f7d
      • Opcode Fuzzy Hash: c39aa16d6e13dad098edb465aff7ae88dc50fa2cd1edd7031f50b26cda80aa08
      • Instruction Fuzzy Hash: 5151CC716143899FCB38AF789955BEE3BE2BF54380F45051DEC8E9B254C7318A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9b75b37a6cdd9edaa3aa9f01531226495d095d289d260b96e37027190b8e30dd
      • Instruction ID: ed1c15bd63dd07bf8b71bbe5dc79d6e76576d0d77478789f0f46df484e2857ad
      • Opcode Fuzzy Hash: 9b75b37a6cdd9edaa3aa9f01531226495d095d289d260b96e37027190b8e30dd
      • Instruction Fuzzy Hash: DE510C719483868BDF39CF7888E4BDA7BE2AF65350F45815EC85A8F289D3304641C726
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a8030d3165dabed5ae71850c5d6ca1c02360af4694ea2aa89313b0acb2c8a9bd
      • Instruction ID: 446cc51b6fcac40543e4c271e1162a1ba455a30c0d99324f4514b2d0c2cbb8dc
      • Opcode Fuzzy Hash: a8030d3165dabed5ae71850c5d6ca1c02360af4694ea2aa89313b0acb2c8a9bd
      • Instruction Fuzzy Hash: 434126719183589BDF389F64C851BEF37B2AF59300F15412DDC49A7258D7701A818F92
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9c6e16f4c1e885e282ab1d61bca15d0ffff5d86e62bc67ec6a707b3bc7d5ac1c
      • Instruction ID: 86063d2fd37de41a5950c0690b384ab8f2f65972170a568eaef50814c057a4af
      • Opcode Fuzzy Hash: 9c6e16f4c1e885e282ab1d61bca15d0ffff5d86e62bc67ec6a707b3bc7d5ac1c
      • Instruction Fuzzy Hash: 75512B719583858BDF39CF788CE4BEA7BE2AF65350F45825EC85A8F289D3304541C726
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2d2c9d0c2d214f13645b0f05905d59354b1d9b5cdce2d2e4a0e9a445196deb90
      • Instruction ID: dd9e07e4fec0a67bb530f7e5c76d31e640f95a07af87d594b72796122416adf6
      • Opcode Fuzzy Hash: 2d2c9d0c2d214f13645b0f05905d59354b1d9b5cdce2d2e4a0e9a445196deb90
      • Instruction Fuzzy Hash: 3A413472919358ABDB389F64CC01BEF37B2AF5A300F05412DDC4A9B259D7700A818F96
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID:
      • API String ID: 2167126740-0
      • Opcode ID: 4ef9387518809eaacb984a23fa93b8f70dcef0da26c52fdcd5ec1983c33e78ca
      • Instruction ID: 527d17b34cfd6c4c35e3ba588e1892127db2e2fb5f83bb92c8d8c9f93502a513
      • Opcode Fuzzy Hash: 4ef9387518809eaacb984a23fa93b8f70dcef0da26c52fdcd5ec1983c33e78ca
      • Instruction Fuzzy Hash: A441F2B1A143899BDB30AFA4CC84BDE77B6FFA5380F458428DD889B215D7348A81CB55
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3fd64fa94e57339830500fd1354d3c2557e256d4e71a6dc2a839401f1d190b0b
      • Instruction ID: 26fdb29d0a3f4d1139bb01eb836897bf5c0dbf642aed7e32f7e197eeb99f94cc
      • Opcode Fuzzy Hash: 3fd64fa94e57339830500fd1354d3c2557e256d4e71a6dc2a839401f1d190b0b
      • Instruction Fuzzy Hash: 862194312087C18BDF72CEB8C8D4B86BAD2AF46214F48C2ADC9984E6DBE3354543C752
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: acd64a3843bdfb710f3ec917ab0b35563eea504932bdc001ef303e66167dae7a
      • Instruction ID: fbc2258cafbb3dc496fc51e1da01c53f699a273d0c10c735cab9a3ce00b2411d
      • Opcode Fuzzy Hash: acd64a3843bdfb710f3ec917ab0b35563eea504932bdc001ef303e66167dae7a
      • Instruction Fuzzy Hash: DA119071A08354EFCB68AF64C9546EFB6F1EF54750F42081DDDCA96110D3315A81CB52
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 64622923414ea4bf0c6974bfaf742be183887886aa210be4fe5c314a3a95815a
      • Instruction ID: 47d0bba8a0251692d1c4ddd7eb200680c8dab5c3ac622502f85e68863abb4083
      • Opcode Fuzzy Hash: 64622923414ea4bf0c6974bfaf742be183887886aa210be4fe5c314a3a95815a
      • Instruction Fuzzy Hash: 56F0F4B7B153145FF7299EB4CE806EA72D7AFF6300FA49235AC058B308D7B0C9014A82
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 61f7c60f29ea27d67520e5ab18539727c07c365fae8bb87ecdf35a37f80130d8
      • Instruction ID: 3fb4754fda6245093f5b5a473ee3e495988d6373a298b411cbb777307eb3731b
      • Opcode Fuzzy Hash: 61f7c60f29ea27d67520e5ab18539727c07c365fae8bb87ecdf35a37f80130d8
      • Instruction Fuzzy Hash: 2E018874A25745CFCB30CFA4C8C8EEAB3F2AF98700F41402ADA098B205C330AA44CB20
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f6178ff48dcd03d8b1d7dad661da46ade949e67a02951441900925447e096af3
      • Instruction ID: 9b58882fc44b06fe8cdadaa85c08d26b4e2b94a687addfedae82ff23338cfcaf
      • Opcode Fuzzy Hash: f6178ff48dcd03d8b1d7dad661da46ade949e67a02951441900925447e096af3
      • Instruction Fuzzy Hash: DFC04CB66125818BE741DB18C451B4073A1AB45B95B090694E8118B791C324E9108A00
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.762366853.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
      • Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
      • Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
      • Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10
      Uniqueness

      Uniqueness Score: -1.00%