Windows Analysis Report 97bXaukEWl.exe

Overview

General Information

Sample Name:	97bXaukEWl.exe
Analysis ID:	457852
MD5:	9318cd06a9a0b788dc043a63c97d4fce
SHA1:	a296ea3e1cf6d41f9d059d7d6e5058882b03161a
SHA256:	7ad18b09938d40e8ec342ee6bee6b190a986ffedce7567a638b8d25b4098cb69
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

PE / OLE file has an invalid certificate

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.747139743.00000000020A0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin"}

Multi AV Scanner detection for submitted file

Source: 97bXaukEWl.exe	Virustotal: Detection: 24%			Perma Link
Source: 97bXaukEWl.exe	ReversingLabs: Detection: 17%

Compliance:

Uses 32bit PE files

Source: 97bXaukEWl.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: 97bXaukEWl.exe
Source:	Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: 97bXaukEWl.exe

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin

Source: 97bXaukEWl.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 97bXaukEWl.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 97bXaukEWl.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 97bXaukEWl.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 97bXaukEWl.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 97bXaukEWl.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 97bXaukEWl.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 97bXaukEWl.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: 97bXaukEWl.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: 97bXaukEWl.exe	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\97bXaukEWl.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\97bXaukEWl.exe

Code function: 0_2_020A5798 NtAllocateVirtualMemory,

0_2_020A5798

Detected potential crypto function

Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A5798	0_2_020A5798
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A7A0B	0_2_020A7A0B
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A2655	0_2_020A2655
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A4AAA	0_2_020A4AAA
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A46B8	0_2_020A46B8
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A9AB9	0_2_020A9AB9
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A4ADA	0_2_020A4ADA
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A433C	0_2_020A433C
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A7B34	0_2_020A7B34
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A8F4F	0_2_020A8F4F
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A8F5C	0_2_020A8F5C
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A3BB6	0_2_020A3BB6
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A83CF	0_2_020A83CF
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A73CC	0_2_020A73CC
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A7BDB	0_2_020A7BDB
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A8FD6	0_2_020A8FD6
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A1BF9	0_2_020A1BF9
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A1BF7	0_2_020A1BF7
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A7C0D	0_2_020A7C0D
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A7C02	0_2_020A7C02
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A4021	0_2_020A4021
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A9058	0_2_020A9058
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A245F	0_2_020A245F
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A4050	0_2_020A4050
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A2877	0_2_020A2877
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A489B	0_2_020A489B
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A90D7	0_2_020A90D7
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A4CF4	0_2_020A4CF4
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A3D14	0_2_020A3D14
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A792B	0_2_020A792B
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A352B	0_2_020A352B
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A554D	0_2_020A554D
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A796F	0_2_020A796F
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A916F	0_2_020A916F
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A39D7	0_2_020A39D7

PE / OLE file has an invalid certificate

Source: 97bXaukEWl.exe

Static PE information: invalid certificate

PE file contains strange resources

Source: 97bXaukEWl.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 97bXaukEWl.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 97bXaukEWl.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: 97bXaukEWl.exe, 00000000.00000000.221378124.0000000000436000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamebayrerss.exe vs 97bXaukEWl.exe
Source: 97bXaukEWl.exe, 00000000.00000002.750338858.0000000002960000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamebayrerss.exeFE2X vs 97bXaukEWl.exe
Source: 97bXaukEWl.exe	Binary or memory string: OriginalFilenamebayrerss.exe vs 97bXaukEWl.exe

Uses 32bit PE files

Source: 97bXaukEWl.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: 97bXaukEWl.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\97bXaukEWl.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\97bXaukEWl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 97bXaukEWl.exe	Virustotal: Detection: 24%
Source: 97bXaukEWl.exe	ReversingLabs: Detection: 17%

Source: 97bXaukEWl.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: 97bXaukEWl.exe
Source:	Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: 97bXaukEWl.exe

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.747139743.00000000020A0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_00421041 push ss; retf	0_2_00421042
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_00422433 push eax; iretd	0_2_004224A1
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_004200E2 push eax; iretd	0_2_004200E5
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_004210A8 push ebx; retf	0_2_004210AE
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_00421D79 pushfd ; iretd	0_2_00421D97
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_00405D8C push eax; retf	0_2_00405DC6
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_004223E5 push eax; iretd	0_2_004224A1
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A2F61 push esi; ret	0_2_020A2F63
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A8391 push edx; ret	0_2_020A8392
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A83B8 push edx; ret	0_2_020A83B9
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A0FFD push ebx; iretd	0_2_020A100C
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A540E pushad ; retf	0_2_020A5419

Source: C:\Users\user\Desktop\97bXaukEWl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A5798 NtAllocateVirtualMemory,	0_2_020A5798
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A3714	0_2_020A3714
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A433C	0_2_020A433C
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A3BB6	0_2_020A3BB6
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A73CC	0_2_020A73CC
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A245F	0_2_020A245F
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A4050	0_2_020A4050
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A352B	0_2_020A352B

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\97bXaukEWl.exe	RDTSC instruction interceptor: First address: 00000000020A6EEA second address: 00000000020A73F6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add eax, FF6DF465h 0x0000000f add eax, 051D0E23h 0x00000014 cmp ch, FFFFFF9Bh 0x00000017 add eax, BB406732h 0x0000001c push ss 0x0000001d pop ss 0x0000001e jmp 00007F7BD0B3E4A3h 0x00000020 cmp dword ptr [ebp+0000024Eh], eax 0x00000026 mov eax, dword ptr [ebp+0000024Eh] 0x0000002c jne 00007F7BD0B3E548h 0x00000032 pushad 0x00000033 mov bl, 77h 0x00000035 cmp bl, 00000077h 0x00000038 jne 00007F7BD0B40B02h 0x0000003e popad 0x0000003f push 7DDA0CB7h 0x00000044 call 00007F7BD0B3E8FAh 0x00000049 mov eax, dword ptr fs:[00000030h] 0x0000004f mov eax, dword ptr [eax+0Ch] 0x00000052 test cx, ax 0x00000055 mov eax, dword ptr [eax+14h] 0x00000058 mov ecx, dword ptr [eax] 0x0000005a pushad 0x0000005b mov bx, 12CFh 0x0000005f cmp bx, 12CFh 0x00000064 jne 00007F7BD0B376F3h 0x0000006a popad 0x0000006b mov eax, ecx 0x0000006d cmp dh, ah 0x0000006f jmp 00007F7BD0B3E4A6h 0x00000071 test bh, bh 0x00000073 mov ebx, dword ptr [eax+28h] 0x00000076 test bl, dl 0x00000078 mov dword ptr [ebp+00000238h], edx 0x0000007e pushad 0x0000007f lfence 0x00000082 rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe	RDTSC instruction interceptor: First address: 00000000020A92DD second address: 00000000020A92DD instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\97bXaukEWl.exe	RDTSC instruction interceptor: First address: 00000000020A6EEA second address: 00000000020A73F6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add eax, FF6DF465h 0x0000000f add eax, 051D0E23h 0x00000014 cmp ch, FFFFFF9Bh 0x00000017 add eax, BB406732h 0x0000001c push ss 0x0000001d pop ss 0x0000001e jmp 00007F7BD0B3E4A3h 0x00000020 cmp dword ptr [ebp+0000024Eh], eax 0x00000026 mov eax, dword ptr [ebp+0000024Eh] 0x0000002c jne 00007F7BD0B3E548h 0x00000032 pushad 0x00000033 mov bl, 77h 0x00000035 cmp bl, 00000077h 0x00000038 jne 00007F7BD0B40B02h 0x0000003e popad 0x0000003f push 7DDA0CB7h 0x00000044 call 00007F7BD0B3E8FAh 0x00000049 mov eax, dword ptr fs:[00000030h] 0x0000004f mov eax, dword ptr [eax+0Ch] 0x00000052 test cx, ax 0x00000055 mov eax, dword ptr [eax+14h] 0x00000058 mov ecx, dword ptr [eax] 0x0000005a pushad 0x0000005b mov bx, 12CFh 0x0000005f cmp bx, 12CFh 0x00000064 jne 00007F7BD0B376F3h 0x0000006a popad 0x0000006b mov eax, ecx 0x0000006d cmp dh, ah 0x0000006f jmp 00007F7BD0B3E4A6h 0x00000071 test bh, bh 0x00000073 mov ebx, dword ptr [eax+28h] 0x00000076 test bl, dl 0x00000078 mov dword ptr [ebp+00000238h], edx 0x0000007e pushad 0x0000007f lfence 0x00000082 rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe	RDTSC instruction interceptor: First address: 00000000020A73F6 second address: 00000000020A74C0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov edx, 2A63ED14h 0x00000010 cmp ax, dx 0x00000013 xor edx, 8CD6B9A0h 0x00000019 xor edx, 8DA3C863h 0x0000001f cmp eax, ecx 0x00000021 sub edx, 2B169CD7h 0x00000027 test ebx, E044EBDBh 0x0000002d cmp ebx, edx 0x0000002f mov edx, dword ptr [ebp+00000238h] 0x00000035 je 00007F7BD0AEA8D8h 0x0000003b fnop 0x0000003d mov dword ptr [ebp+00000222h], eax 0x00000043 pushad 0x00000044 mov bh, 9Ah 0x00000046 cmp bh, FFFFFF9Ah 0x00000049 jne 00007F7BD0AE7432h 0x0000004f popad 0x00000050 mov eax, ebx 0x00000052 push eax 0x00000053 mov eax, dword ptr [ebp+00000222h] 0x00000059 test dl, 0000005Ah 0x0000005c cmp cx, dx 0x0000005f call 00007F7BD0AEA8B7h 0x00000064 pushad 0x00000065 lfence 0x00000068 rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe	RDTSC instruction interceptor: First address: 00000000020A58DE second address: 00000000020A593B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 sub dword ptr [esp], F2A63F26h 0x0000000a test bx, ax 0x0000000d xor dword ptr [esp], 1168D9BEh 0x00000014 mov dword ptr [ebp+00000148h], 00000000h 0x0000001e add ebx, 04h 0x00000021 mov dword ptr [ebp+0000018Bh], esi 0x00000027 mov esi, ebx 0x00000029 push esi 0x0000002a mov esi, dword ptr [ebp+0000018Bh] 0x00000030 cmp ch, dh 0x00000032 mov dword ptr [ebp+000001E4h], ecx 0x00000038 mov ecx, 785B2C8Ch 0x0000003d test ebx, eax 0x0000003f test bx, bx 0x00000042 xor ecx, C683D913h 0x00000048 cmp dl, 00000035h 0x0000004b add ecx, 3D510807h 0x00000051 sub ecx, FC29FDA7h 0x00000057 pushad 0x00000058 mov esi, 00000084h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\97bXaukEWl.exe	RDTSC instruction interceptor: First address: 00000000020A92DD second address: 00000000020A92DD instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\97bXaukEWl.exe

Code function: 0_2_020A5798 rdtsc

0_2_020A5798

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\97bXaukEWl.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\97bXaukEWl.exe

Code function: 0_2_020A5798 rdtsc

0_2_020A5798

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A6E4F mov eax, dword ptr fs:[00000030h]		0_2_020A6E4F
Source: C:\Users\user\Desktop\97bXaukEWl.exe	Code function: 0_2_020A352B mov eax, dword ptr fs:[00000030h]		0_2_020A352B

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: 97bXaukEWl.exe, 00000000.00000002.746784171.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: 97bXaukEWl.exe, 00000000.00000002.746784171.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: 97bXaukEWl.exe, 00000000.00000002.746784171.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: 97bXaukEWl.exe, 00000000.00000002.746784171.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin	true	Avira URL Cloud: safe	unknown

ID:	457852
Product:	CloudBasic
Start time:	11:51:41
Start date:	02.08.2021
Sample:	97bXaukEWl.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	9318cd06a9a0b788dc043a63c97d4fce
SHA1:	a296ea3e1cf6d41f9d059d7d6e5058882b03161a
SHA256:	7ad18b09938d40e8ec342ee6bee6b190a986ffedce7567a638b8d25b4098cb69
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report 97bXaukEWl.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted URLs