GuLoader,Lokibot | e7ee8ff4872d

Remarks

Maximum Dump Total Size Reached (0x0200005D): 6045 additional dumps with the reason "Content Changed" and a total of 34546 MB were skipped because the respective maximum limit was reached.

Maximum Dump Size Exceeded (0x0200004A): 1 dump(s) were skipped because they exceeded the maximum dump size of 7 MB. The largest one was 407 MB.

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\kEecfMwgj\Desktop\e7ee8ff4872d57b2fba736ee6556e3f92a3fc1c3c8738c50cc8b1e6acbb4379f.exe

Sample File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	304.03 KB
MD5	2f779b2196af55484be830b22eda9dca
SHA1	a6e6a3d2b92abc988e82e254705c01d6357d1b4e
SHA256	e7ee8ff4872d57b2fba736ee6556e3f92a3fc1c3c8738c50cc8b1e6acbb4379f
SSDeep	6144:ZbE/HUnk52w9mvsVVQyIAoHzcleagqiFqICMvs5j:ZbS90UsHzqeagqB68
ImpHash	56a78d55f3f7af51443e58e0ce2fb5f6

File Reputation Information

Verdict	Malicious
Names	Mal/Generic-S

PE Information

Image Base	0x00400000
Entry Point	0x0040352D
Size Of Code	0x00006A00
Size Of Initialized Data	0x0002DA00
Size Of Uninitialized Data	0x00000800
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2021-09-25 23:57 (UTC+2)

Version Information (7)

Comments	Solonic Udkommandotillggene TRONARVINGS Unlap
CompanyName	Kabelets OVERBBORE Udkonkurreret
FileDescription	Transmittering Fredningsmssiges
FileVersion	15.16.10
LegalCopyright	cevenol Unbright beskyttelsestoldsatserne
LegalTrademarks	Unrefitted recounseling
ProductName	Graenseland Samsvarendes

Sections (5)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00401000	0x00006897	0x00006A00	0x00000400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.46
.rdata	0x00408000	0x000014A6	0x00001600	0x00006E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.02
.data	0x0040A000	0x0002B018	0x00000600	0x00008400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.15
.ndata	0x00436000	0x00039000	0x00000000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.0
.rsrc	0x0046F000	0x00028628	0x00028800	0x00008A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.53

Imports (7)

ADVAPI32.dll (13)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
RegCreateKeyExW	-	0x00408000	0x000086B0	0x000074B0	0x000001D2
RegEnumKeyW	-	0x00408004	0x000086B4	0x000074B4	0x000001E0
RegQueryValueExW	-	0x00408008	0x000086B8	0x000074B8	0x000001F8
RegSetValueExW	-	0x0040800C	0x000086BC	0x000074BC	0x00000205
RegCloseKey	-	0x00408010	0x000086C0	0x000074C0	0x000001CB
RegDeleteValueW	-	0x00408014	0x000086C4	0x000074C4	0x000001D9
RegDeleteKeyW	-	0x00408018	0x000086C8	0x000074C8	0x000001D7
AdjustTokenPrivileges	-	0x0040801C	0x000086CC	0x000074CC	0x0000001C
LookupPrivilegeValueW	-	0x00408020	0x000086D0	0x000074D0	0x00000150
OpenProcessToken	-	0x00408024	0x000086D4	0x000074D4	0x000001AC
SetFileSecurityW	-	0x00408028	0x000086D8	0x000074D8	0x0000022F
RegOpenKeyExW	-	0x0040802C	0x000086DC	0x000074DC	0x000001ED
RegEnumValueW	-	0x00408030	0x000086E0	0x000074E0	0x000001E2

SHELL32.dll (6)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
SHGetSpecialFolderLocation	-	0x00408178	0x00008828	0x00007628	0x000000C3
SHFileOperationW	-	0x0040817C	0x0000882C	0x0000762C	0x0000009B
SHBrowseForFolderW	-	0x00408180	0x00008830	0x00007630	0x0000007A
SHGetPathFromIDListW	-	0x00408184	0x00008834	0x00007634	0x000000BD
ShellExecuteExW	-	0x00408188	0x00008838	0x00007638	0x0000010A
SHGetFileInfoW	-	0x0040818C	0x0000883C	0x0000763C	0x000000AD

ole32.dll (5)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
OleInitialize	-	0x00408298	0x00008948	0x00007748	0x000000EE
OleUninitialize	-	0x0040829C	0x0000894C	0x0000774C	0x00000105
CoCreateInstance	-	0x004082A0	0x00008950	0x00007750	0x00000010
IIDFromString	-	0x004082A4	0x00008954	0x00007754	0x000000C6
CoTaskMemFree	-	0x004082A8	0x00008958	0x00007758	0x00000065

COMCTL32.dll (4)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
None	0x00000011	0x00408038	0x000086E8	0x000074E8	-
ImageList_Create	-	0x0040803C	0x000086EC	0x000074EC	0x00000037
ImageList_Destroy	-	0x00408040	0x000086F0	0x000074F0	0x00000038
ImageList_AddMasked	-	0x00408044	0x000086F4	0x000074F4	0x00000034

USER32.dll (64)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetClientRect	-	0x00408194	0x00008844	0x00007644	0x000000FF
EndPaint	-	0x00408198	0x00008848	0x00007648	0x000000C8
DrawTextW	-	0x0040819C	0x0000884C	0x0000764C	0x000000BF
IsWindowEnabled	-	0x004081A0	0x00008850	0x00007650	0x000001AE
DispatchMessageW	-	0x004081A4	0x00008854	0x00007654	0x000000A2
wsprintfA	-	0x004081A8	0x00008858	0x00007658	0x000002D7
CharNextA	-	0x004081AC	0x0000885C	0x0000765C	0x0000002A
CharPrevW	-	0x004081B0	0x00008860	0x00007660	0x0000002F
MessageBoxIndirectW	-	0x004081B4	0x00008864	0x00007664	0x000001E3
GetDlgItemTextW	-	0x004081B8	0x00008868	0x00007668	0x00000114
SetDlgItemTextW	-	0x004081BC	0x0000886C	0x0000766C	0x00000254
GetSystemMetrics	-	0x004081C0	0x00008870	0x00007670	0x0000015D
FillRect	-	0x004081C4	0x00008874	0x00007674	0x000000E2
AppendMenuW	-	0x004081C8	0x00008878	0x00007678	0x00000009
TrackPopupMenu	-	0x004081CC	0x0000887C	0x0000767C	0x000002A4
OpenClipboard	-	0x004081D0	0x00008880	0x00007680	0x000001F6
SetClipboardData	-	0x004081D4	0x00008884	0x00007684	0x0000024A
CloseClipboard	-	0x004081D8	0x00008888	0x00007688	0x00000042
IsWindowVisible	-	0x004081DC	0x0000888C	0x0000768C	0x000001B1
CallWindowProcW	-	0x004081E0	0x00008890	0x00007690	0x0000001C
GetMessagePos	-	0x004081E4	0x00008894	0x00007694	0x0000013C
CheckDlgButton	-	0x004081E8	0x00008898	0x00007698	0x00000038
LoadCursorW	-	0x004081EC	0x0000889C	0x0000769C	0x000001BD
SetCursor	-	0x004081F0	0x000088A0	0x000076A0	0x0000024D
GetSysColor	-	0x004081F4	0x000088A4	0x000076A4	0x0000015A
SetWindowPos	-	0x004081F8	0x000088A8	0x000076A8	0x00000283
GetWindowLongW	-	0x004081FC	0x000088AC	0x000076AC	0x0000016F
PeekMessageW	-	0x00408200	0x000088B0	0x000076B0	0x00000201
SetClassLongW	-	0x00408204	0x000088B4	0x000076B4	0x00000248
GetSystemMenu	-	0x00408208	0x000088B8	0x000076B8	0x0000015C
EnableMenuItem	-	0x0040820C	0x000088BC	0x000076BC	0x000000C2
GetWindowRect	-	0x00408210	0x000088C0	0x000076C0	0x00000174
ScreenToClient	-	0x00408214	0x000088C4	0x000076C4	0x00000231
EndDialog	-	0x00408218	0x000088C8	0x000076C8	0x000000C6
RegisterClassW	-	0x0040821C	0x000088CC	0x000076CC	0x00000219
SystemParametersInfoW	-	0x00408220	0x000088D0	0x000076D0	0x0000029A
CreateWindowExW	-	0x00408224	0x000088D4	0x000076D4	0x00000061
GetClassInfoW	-	0x00408228	0x000088D8	0x000076D8	0x000000F9
DialogBoxParamW	-	0x0040822C	0x000088DC	0x000076DC	0x0000009F
CharNextW	-	0x00408230	0x000088E0	0x000076E0	0x0000002C
ExitWindowsEx	-	0x00408234	0x000088E4	0x000076E4	0x000000E1
DestroyWindow	-	0x00408238	0x000088E8	0x000076E8	0x00000099
CreateDialogParamW	-	0x0040823C	0x000088EC	0x000076EC	0x00000056
SetTimer	-	0x00408240	0x000088F0	0x000076F0	0x0000027A
SetWindowTextW	-	0x00408244	0x000088F4	0x000076F4	0x00000287
PostQuitMessage	-	0x00408248	0x000088F8	0x000076F8	0x00000204
SetForegroundWindow	-	0x0040824C	0x000088FC	0x000076FC	0x00000257
ShowWindow	-	0x00408250	0x00008900	0x00007700	0x00000292
wsprintfW	-	0x00408254	0x00008904	0x00007704	0x000002D8
SendMessageTimeoutW	-	0x00408258	0x00008908	0x00007708	0x0000023F
FindWindowExW	-	0x0040825C	0x0000890C	0x0000770C	0x000000E5
IsWindow	-	0x00408260	0x00008910	0x00007710	0x000001AD
GetDlgItem	-	0x00408264	0x00008914	0x00007714	0x00000111
SetWindowLongW	-	0x00408268	0x00008918	0x00007718	0x00000281
LoadImageW	-	0x0040826C	0x0000891C	0x0000771C	0x000001C1
GetDC	-	0x00408270	0x00008920	0x00007720	0x0000010C
ReleaseDC	-	0x00408274	0x00008924	0x00007724	0x0000022A
EnableWindow	-	0x00408278	0x00008928	0x00007728	0x000000C4
InvalidateRect	-	0x0040827C	0x0000892C	0x0000772C	0x00000193
SendMessageW	-	0x00408280	0x00008930	0x00007730	0x00000240
DefWindowProcW	-	0x00408284	0x00008934	0x00007734	0x0000008F
BeginPaint	-	0x00408288	0x00008938	0x00007738	0x0000000D
EmptyClipboard	-	0x0040828C	0x0000893C	0x0000773C	0x000000C1
CreatePopupMenu	-	0x00408290	0x00008940	0x00007740	0x0000005E

GDI32.dll (8)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
SetBkMode	-	0x0040804C	0x000086FC	0x000074FC	0x00000216
SetBkColor	-	0x00408050	0x00008700	0x00007500	0x00000215
GetDeviceCaps	-	0x00408054	0x00008704	0x00007504	0x0000016B
CreateFontIndirectW	-	0x00408058	0x00008708	0x00007508	0x0000003D
CreateBrushIndirect	-	0x0040805C	0x0000870C	0x0000750C	0x00000029
DeleteObject	-	0x00408060	0x00008710	0x00007510	0x0000008F
SetTextColor	-	0x00408064	0x00008714	0x00007514	0x0000023C
SelectObject	-	0x00408068	0x00008718	0x00007518	0x0000020E

KERNEL32.dll (65)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetExitCodeProcess	-	0x00408070	0x00008720	0x00007520	0x0000015A
WaitForSingleObject	-	0x00408074	0x00008724	0x00007524	0x00000390
GetModuleHandleA	-	0x00408078	0x00008728	0x00007528	0x0000017F
GetProcAddress	-	0x0040807C	0x0000872C	0x0000752C	0x000001A0
GetSystemDirectoryW	-	0x00408080	0x00008730	0x00007530	0x000001C2
lstrcatW	-	0x00408084	0x00008734	0x00007534	0x000003BE
Sleep	-	0x00408088	0x00008738	0x00007538	0x00000356
lstrcpyA	-	0x0040808C	0x0000873C	0x0000753C	0x000003C6
WriteFile	-	0x00408090	0x00008740	0x00007540	0x000003A4
GetTempFileNameW	-	0x00408094	0x00008744	0x00007544	0x000001D4
CreateFileW	-	0x00408098	0x00008748	0x00007548	0x00000056
lstrcmpiA	-	0x0040809C	0x0000874C	0x0000754C	0x000003C3
RemoveDirectoryW	-	0x004080A0	0x00008750	0x00007550	0x000002C5
CreateProcessW	-	0x004080A4	0x00008754	0x00007554	0x00000069
CreateDirectoryW	-	0x004080A8	0x00008758	0x00007558	0x0000004E
GetLastError	-	0x004080AC	0x0000875C	0x0000755C	0x00000171
CreateThread	-	0x004080B0	0x00008760	0x00007560	0x0000006F
GlobalLock	-	0x004080B4	0x00008764	0x00007564	0x00000203
GlobalUnlock	-	0x004080B8	0x00008768	0x00007568	0x0000020A
GetDiskFreeSpaceW	-	0x004080BC	0x0000876C	0x0000756C	0x00000150
WideCharToMultiByte	-	0x004080C0	0x00008770	0x00007570	0x00000394
lstrcpynW	-	0x004080C4	0x00008774	0x00007574	0x000003CA
lstrlenW	-	0x004080C8	0x00008778	0x00007578	0x000003CD
SetErrorMode	-	0x004080CC	0x0000877C	0x0000757C	0x00000315
GetVersionExW	-	0x004080D0	0x00008780	0x00007580	0x000001EA
GetCommandLineW	-	0x004080D4	0x00008784	0x00007584	0x00000111
GetTempPathW	-	0x004080D8	0x00008788	0x00007588	0x000001D6
GetWindowsDirectoryW	-	0x004080DC	0x0000878C	0x0000758C	0x000001F4
SetEnvironmentVariableW	-	0x004080E0	0x00008790	0x00007590	0x00000314
CopyFileW	-	0x004080E4	0x00008794	0x00007594	0x00000046
ExitProcess	-	0x004080E8	0x00008798	0x00007598	0x000000B9
GetCurrentProcess	-	0x004080EC	0x0000879C	0x0000759C	0x00000142
GetModuleFileNameW	-	0x004080F0	0x000087A0	0x000075A0	0x0000017E
GetFileSize	-	0x004080F4	0x000087A4	0x000075A4	0x00000163
GetTickCount	-	0x004080F8	0x000087A8	0x000075A8	0x000001DF
MulDiv	-	0x004080FC	0x000087AC	0x000075AC	0x00000274
SetFileAttributesW	-	0x00408100	0x000087B0	0x000075B0	0x0000031A
GetFileAttributesW	-	0x00408104	0x000087B4	0x000075B4	0x00000161
SetCurrentDirectoryW	-	0x00408108	0x000087B8	0x000075B8	0x0000030B
MoveFileW	-	0x0040810C	0x000087BC	0x000075BC	0x00000271
GetFullPathNameW	-	0x00408110	0x000087C0	0x000075C0	0x0000016A
GetShortPathNameW	-	0x00408114	0x000087C4	0x000075C4	0x000001B6
SearchPathW	-	0x00408118	0x000087C8	0x000075C8	0x000002DC
CompareFileTime	-	0x0040811C	0x000087CC	0x000075CC	0x00000039
SetFileTime	-	0x00408120	0x000087D0	0x000075D0	0x0000031F
CloseHandle	-	0x00408124	0x000087D4	0x000075D4	0x00000034
lstrcmpiW	-	0x00408128	0x000087D8	0x000075D8	0x000003C4
lstrcmpW	-	0x0040812C	0x000087DC	0x000075DC	0x000003C1
ExpandEnvironmentStringsW	-	0x00408130	0x000087E0	0x000075E0	0x000000BD
GlobalFree	-	0x00408134	0x000087E4	0x000075E4	0x000001FF
GlobalAlloc	-	0x00408138	0x000087E8	0x000075E8	0x000001F8
GetModuleHandleW	-	0x0040813C	0x000087EC	0x000075EC	0x00000182
LoadLibraryExW	-	0x00408140	0x000087F0	0x000075F0	0x00000254
MoveFileExW	-	0x00408144	0x000087F4	0x000075F4	0x00000270
FreeLibrary	-	0x00408148	0x000087F8	0x000075F8	0x000000F8
WritePrivateProfileStringW	-	0x0040814C	0x000087FC	0x000075FC	0x000003AA
GetPrivateProfileStringW	-	0x00408150	0x00008800	0x00007600	0x0000019D
lstrlenA	-	0x00408154	0x00008804	0x00007604	0x000003CC
MultiByteToWideChar	-	0x00408158	0x00008808	0x00007608	0x00000275
ReadFile	-	0x0040815C	0x0000880C	0x0000760C	0x000002B5
SetFilePointer	-	0x00408160	0x00008810	0x00007610	0x0000031B
FindClose	-	0x00408164	0x00008814	0x00007614	0x000000CE
FindNextFileW	-	0x00408168	0x00008818	0x00007618	0x000000DD
FindFirstFileW	-	0x0040816C	0x0000881C	0x0000761C	0x000000D5
DeleteFileW	-	0x00408170	0x00008820	0x00007620	0x00000084

Digital Signature Information

Verification Status

Valid

Certificate: Insecticide PNEST

Issued by	Insecticide PNEST
Country Name	US
Valid From	2022-07-05 10:49 (UTC+2)
Valid Until	2023-07-05 10:49 (UTC+2)
Algorithm	sha256_rsa
Serial Number	DB 34 79 34 CF A3 F5 45
Thumbprint	1A 7E D3 42 D4 BE 04 B7 8B 1F C4 09 7D 27 FC 98 6B B5 CB 33

Memory Dumps (37)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
e7ee8ff4872d57b2fba736ee6556e3f92a3fc1c3c8738c50cc8b1e6acbb4379f.exe	1	0x00400000	0x00497FFF	Relevant Image	32-bit	0x0040690A	... Actions Go to Process Download Dump
system.dll	1	0x74AD0000	0x74AD6FFF	First Execution	32-bit	0x74AD1817	... Actions Go to Process Download Dump
buffer	1	0x02E00000	0x02EFFFFF	First Execution	32-bit	0x02E00000	... Actions Go to Process Download Dump
buffer	1	0x02E00000	0x02EFFFFF	Content Changed	32-bit	0x02E1485C	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x02E00000	0x02EFFFFF	Content Changed	32-bit	0x02E10232	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x02E00000	0x02EFFFFF	Content Changed	32-bit	0x02E12BEB	... Actions Go to Process Go to YARA Match Download Dump
ntdll.dll	1	0x77150000	0x772CFFFF	First Execution	32-bit	0x77170028	... Actions Go to Process Download Dump
buffer	1	0x02E00000	0x02EFFFFF	Content Changed	32-bit	0x02E10FB7	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x02E00000	0x02EFFFFF	Content Changed	32-bit	0x02E0B6E6	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x001B0000	0x002AFFFF	First Execution	32-bit	0x001B0000	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x02E00000	0x02EFFFFF	Content Changed	32-bit	0x02E14184	... Actions Go to Process Download Dump
buffer	1	0x02E00000	0x02EFFFFF	Content Changed	32-bit	0x02E0D534	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x02F00000	0x02F80FFF	Dump Rule: GuLoaderConfig	32-bit	-	... Actions Go to Process Download Dump
e7ee8ff4872d57b2fba736ee6556e3f92a3fc1c3c8738c50cc8b1e6acbb4379f.exe	1	0x00400000	0x00497FFF	Process Termination	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x001B0000	0x002AFFFF	Content Changed	32-bit	0x001BDFA3	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x001B0000	0x002AFFFF	Content Changed	32-bit	0x001B1000	... Actions Go to Process Go to YARA Match Download Dump
ntdll.dll	2	0x77150000	0x772CFFFF	First Execution	32-bit	0x77170028	... Actions Go to Process Download Dump
buffer	2	0x0018C000	0x0018FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x001B0000	0x002AFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x022B0000	0x02330FFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x001B0000	0x002AFFFF	Content Changed	32-bit	0x001B5F5D	... Actions Go to Process Go to YARA Match Download Dump
mshtml.dll	2	0x00400000	0x009B6FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
mshtml.dll	2	0x00400000	0x009B6FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
mshtml.dll	2	0x00400000	0x009B6FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
mshtml.dll	2	0x00400000	0x009B6FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
mshtml.dll	2	0x00400000	0x009B6FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
mshtml.dll	2	0x00400000	0x009B6FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
mshtml.dll	2	0x00400000	0x009B6FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
mshtml.dll	2	0x00400000	0x009B6FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
mshtml.dll	2	0x00400000	0x009B6FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
mshtml.dll	2	0x00400000	0x009B6FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x001B0000	0x002AFFFF	Content Changed	32-bit	0x001C2701	... Actions Go to Process Download Dump
mshtml.dll	2	0x00400000	0x009B6FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
mshtml.dll	2	0x00400000	0x009B6FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
mshtml.dll	2	0x00400000	0x009B6FFF	Content Changed	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x001B0000	0x002AFFFF	Final Dump	32-bit	-	... Actions Go to Process Download Dump
buffer	2	0x022B0000	0x02330FFF	Final Dump	32-bit	-	... Actions Go to Process Download Dump

C:\Users\KEECFM~1\AppData\Local\Temp\nszC5AD.tmp\System.dll

Dropped File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	12.00 KB
MD5	cff85c549d536f651d4fb8387f1976f2
SHA1	d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256	8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SSDeep	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
ImpHash	fc0224e99e736751432961db63a41b76

File Reputation Information

Verdict

Clean

PE Information

Image Base	0x10000000
Entry Point	0x10002A7F
Size Of Code	0x00002200
Size Of Initialized Data	0x00000A00
File Type	IMAGE_FILE_DLL
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2021-09-25 23:52 (UTC+2)

Sections (4)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x10001000	0x000020EF	0x00002200	0x00000400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.36
.rdata	0x10004000	0x00000363	0x00000400	0x00002600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	3.93
.data	0x10005000	0x00000078	0x00000200	0x00002A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.35
.reloc	0x10006000	0x00000296	0x00000400	0x00002C00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	4.02

Imports (3)

KERNEL32.dll (16)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetModuleHandleW	-	0x10004000	0x000040FC	0x000026FC	0x00000182
GlobalFree	-	0x10004004	0x00004100	0x00002700	0x000001FF
GlobalSize	-	0x10004008	0x00004104	0x00002704	0x00000207
lstrcpynW	-	0x1000400C	0x00004108	0x00002708	0x000003CA
lstrcpyW	-	0x10004010	0x0000410C	0x0000270C	0x000003C7
GetProcAddress	-	0x10004014	0x00004110	0x00002710	0x000001A0
WideCharToMultiByte	-	0x10004018	0x00004114	0x00002714	0x00000394
VirtualFree	-	0x1000401C	0x00004118	0x00002718	0x00000383
FreeLibrary	-	0x10004020	0x0000411C	0x0000271C	0x000000F8
lstrlenW	-	0x10004024	0x00004120	0x00002720	0x000003CD
LoadLibraryW	-	0x10004028	0x00004124	0x00002724	0x00000255
GlobalAlloc	-	0x1000402C	0x00004128	0x00002728	0x000001F8
MultiByteToWideChar	-	0x10004030	0x0000412C	0x0000272C	0x00000275
VirtualAlloc	-	0x10004034	0x00004130	0x00002730	0x00000381
VirtualProtect	-	0x10004038	0x00004134	0x00002734	0x00000386
GetLastError	-	0x1000403C	0x00004138	0x00002738	0x00000171

USER32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
wsprintfW	-	0x10004044	0x00004140	0x00002740	0x000002D8

ole32.dll (2)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
StringFromGUID2	-	0x1000404C	0x00004148	0x00002748	0x00000135
CLSIDFromString	-	0x10004050	0x0000414C	0x0000274C	0x00000008

Exports (8)

API Name	EAT Address	Ordinal
Alloc	0x00001000	0x00000001
Call	0x00001817	0x00000002
Copy	0x00001058	0x00000003
Free	0x0000170D	0x00000004
Get	0x00001774	0x00000005
Int64Op	0x00001979	0x00000006
Store	0x000010E1	0x00000007
StrAlloc	0x0000103D	0x00000008

C:\Users\kEecfMwgj\Videos\Betingningerne\Readjourned\Gestisk.For

Dropped File

Stream

MIME Type	application/octet-stream
File Size	98.58 KB
MD5	82e66d75a013cb8a0199605e25a8d60d
SHA1	a06b8824709d4118f9d8de3dee255a4ae9182120
SHA256	bfba27ae5371cdb46e05ce6d095ea6c72db8b3ad3bc8bf134a92ca9bcb015324
SSDeep	1536:txzGk49tTM/mhii8OfU4+a4ADaajhYYQNoR/QUxapy6yEcOtM6r9WERlJm4:txi39MVilDaaFYYBmUxas+cY9Wb4
ImpHash	-

C:\Users\kEecfMwgj\Videos\Betingningerne\Readjourned\\SHAURI\Ld7\elan.DIS

Dropped File

Text

Also Known As	C:\Users\kEecfMwgj\Videos\Betingningerne\Readjourned\SHAURI\Ld7\elan.DIS (Accessed File)
MIME Type	text/plain
File Size	34.06 KB
MD5	42893e64c311f69fe35c83bb58d511d4
SHA1	702aff974b19085073a50dd14401a138266e3696
SHA256	85ebba149609a889b9d04f949871c8a682ceb46b99951be864c930d35c8aed4f
SSDeep	768:HXShUv41uZ2X3oSYWaqOpAw3gNrfuIqglv5wvhKYI7mM:1AuEoSYWaqjwQNrfQgOC7n
ImpHash	-

C:\Users\kEecfMwgj\Videos\Betingningerne\Readjourned\face-cool-symbolic.svg

Dropped File

Image

MIME Type	image/svg
File Size	398 Bytes
MD5	f4d84a109ea934be8b462d13f5994e56
SHA1	44fb1eec815d38919e604a0b6715e80c83c3ad7b
SHA256	d956fcc2cf8c989441309a92a1a0ed084799370fd384c80222f726b303b7cdaf
SSDeep	6:tI9mc4slzcWER4FZP+oPnv4KRduDISIbARCYSFohQ5NLX6Rw2rvZpLtJW14lmCWt:t4CDqdtP8ISTRnRQO7vZpp81WA9A0/
ImpHash	-

File Reputation Information

Verdict

Clean

C:\Users\KEECFM~1\AppData\Local\Temp\nseC3F4.tmp

Dropped File

Empty

MIME Type	application/x-empty
File Size	0 Bytes
MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep	3::
ImpHash	-

C:\Users\KEECFM~1\AppData\Local\Temp\nsjC54C.tmp

Dropped File

Empty

MIME Type	application/x-empty
File Size	0 Bytes
MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep	3::
ImpHash	-

C:\Users\KEECFM~1\AppData\Local\Temp\nsjC59C.tmp

Dropped File

Empty

MIME Type	application/x-empty
File Size	0 Bytes
MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep	3::
ImpHash	-

C:\Users\KEECFM~1\AppData\Local\Temp\nszC5AD.tmp

Dropped File

Empty

MIME Type	application/x-empty
File Size	0 Bytes
MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep	3::
ImpHash	-

C:\Users\KEECFM~1\AppData\Local\Temp\nszC55D.tmp

Dropped File

Empty

MIME Type	application/x-empty
File Size	0 Bytes
MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep	3::
ImpHash	-

Remarks (1/1)

Remarks

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information