Windows Analysis Report
WSNBOfCAfh.exe

Overview

General Information

Sample name: WSNBOfCAfh.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name: E58E25C8AEF38A1BC6546AEE7A5C94CB534F64D7F4FCFC937A2F5A3AD9191A5F
Analysis ID: 1426781
MD5: bcb8cbe530f4f7be6a3901067961ad14
SHA1: 76c49f0c0e66746201e0598b61d46dd39747cd55
SHA256: e58e25c8aef38a1bc6546aee7a5c94cb534f64d7f4fcfc937a2f5a3ad9191a5f
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Drops PE files
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Use Short Name Path in Command Line
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: WSNBOfCAfh.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: WSNBOfCAfh.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: GU.exe, 00000006.00000000.1561340685.0000000001CCD000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://localhost6CloudDriveSettings.DropBoxSettings.OAuth2.RedirectPort
Source: GU.exe, 00000006.00000000.1561340685.0000000001CCD000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://localhost7CloudDriveSettings.OneDriveSettings.OAuth2.RedirectPort
Source: GU.exe, 00000006.00000000.1561340685.0000000001CCD000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://localhost:CloudDriveSettings.GoogleDriveSettings.OAuth2.RedirectPort
Source: GU.exe, 00000006.00000000.1561340685.0000000001CCD000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://localhostJEmailSettings.ConnectionSettings.WebMail.GmailSettings.OAuth2.RedirectPort
Source: GU.exe, 00000006.00000000.1561340685.0000000001CCD000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://localhostOEmailSettings.ConnectionSettings.WebMail.Outlook365Settings.OAuth2.RedirectPort
Source: GU.exe, 00000006.00000000.1554566034.0000000000C51000.00000020.00000001.01000000.00000008.sdmp, is-OH7O9.tmp.2.dr String found in binary or memory: http://maps.googleapis.com/maps/api/staticmap?S
Source: GU.exe, 00000006.00000000.1554566034.0000000001651000.00000020.00000001.01000000.00000008.sdmp, is-OH7O9.tmp.2.dr String found in binary or memory: http://www.adobe.ch
Source: GU.exe, 00000006.00000000.1554566034.0000000000C51000.00000020.00000001.01000000.00000008.sdmp, is-OH7O9.tmp.2.dr String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: GU.exe, 00000006.00000000.1554566034.0000000000C51000.00000020.00000001.01000000.00000008.sdmp, is-OH7O9.tmp.2.dr String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: GU.exe, 00000006.00000000.1554566034.0000000000C51000.00000020.00000001.01000000.00000008.sdmp, is-OH7O9.tmp.2.dr String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: GU.exe, 00000006.00000000.1554566034.0000000000C51000.00000020.00000001.01000000.00000008.sdmp, is-OH7O9.tmp.2.dr String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: WSNBOfCAfh.tmp, 00000002.00000003.1568353523.0000000005700000.00000004.00001000.00020000.00000000.sdmp, is-4FJH0.tmp.2.dr String found in binary or memory: http://www.color.org)/S/GTS_PDFX/Type/OutputIntent
Source: GU.exe, 00000006.00000000.1554566034.0000000000C51000.00000020.00000001.01000000.00000008.sdmp, is-OH7O9.tmp.2.dr String found in binary or memory: http://www.google.com/maps/SV
Source: WSNBOfCAfh.tmp, 00000002.00000003.1568353523.0000000005700000.00000004.00001000.00020000.00000000.sdmp, is-4FJH0.tmp.2.dr String found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: GU.exe, 00000006.00000000.1554566034.0000000000C51000.00000020.00000001.01000000.00000008.sdmp, is-OH7O9.tmp.2.dr String found in binary or memory: https://code.google.com/apis/console
Source: GU.exe, 00000006.00000000.1554566034.0000000000C51000.00000020.00000001.01000000.00000008.sdmp, is-OH7O9.tmp.2.dr String found in binary or memory: https://indy.fulgan.com/SSL/OpenSSL_add_all_ciphersOpenSSL_add_all_digestsERR_get_errorERR_peek_erro
Source: WSNBOfCAfh.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: GU.exe, 00000006.00000000.1554566034.0000000000C51000.00000020.00000001.01000000.00000008.sdmp, is-OH7O9.tmp.2.dr String found in binary or memory: https://www.digital-metaphors.com
Source: GU.exe, 00000006.00000000.1554566034.0000000000C51000.00000020.00000001.01000000.00000008.sdmp, is-OH7O9.tmp.2.dr String found in binary or memory: https://www.digital-metaphors.com/orderU
Source: GU.exe, 00000006.00000000.1554566034.0000000000C51000.00000020.00000001.01000000.00000008.sdmp, is-OH7O9.tmp.2.dr String found in binary or memory: https://www.digital-metaphors.com/supportU
Source: WSNBOfCAfh.exe, 00000000.00000003.1327005717.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, WSNBOfCAfh.exe, 00000000.00000003.1326671668.0000000002520000.00000004.00001000.00020000.00000000.sdmp, WSNBOfCAfh.tmp, 00000002.00000000.1328184245.0000000000401000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: https://www.innosetup.com/
Source: WSNBOfCAfh.exe, 00000000.00000003.1327005717.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, WSNBOfCAfh.exe, 00000000.00000003.1326671668.0000000002520000.00000004.00001000.00020000.00000000.sdmp, WSNBOfCAfh.tmp, 00000002.00000000.1328184245.0000000000401000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: https://www.remobjects.com/ps
PE file contains executable resources (Code or Archives)
Source: WSNBOfCAfh.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-6RMLS.tmp.2.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
PE file contains more sections than normal
Source: is-OH7O9.tmp.2.dr Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: WSNBOfCAfh.exe, 00000000.00000003.1326671668.000000000260A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs WSNBOfCAfh.exe
Source: WSNBOfCAfh.exe, 00000000.00000003.1327005717.000000007FE36000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs WSNBOfCAfh.exe
Source: WSNBOfCAfh.exe, 00000000.00000000.1325169840.00000000004C6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs WSNBOfCAfh.exe
Source: WSNBOfCAfh.exe, 00000000.00000003.1583338570.0000000002288000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs WSNBOfCAfh.exe
Source: WSNBOfCAfh.exe Binary or memory string: OriginalFileName vs WSNBOfCAfh.exe
Uses 32bit PE files
Source: WSNBOfCAfh.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: clean3.winEXE@7/28@0/0
Source: is-4FJH0.tmp.2.dr Initial sample: http://www.color.org
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp File created: C:\Program Files (x86)\GU_2024 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Mutant created: \Sessions\1\BaseNamedObjects\GU Kalkulationsgrundlage 2024
Source: C:\Users\user\Desktop\WSNBOfCAfh.exe File created: C:\Users\user~1\AppData\Local\Temp\is-U1PO5.tmp Jump to behavior
Source: C:\Users\user\Desktop\WSNBOfCAfh.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\WSNBOfCAfh.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\WSNBOfCAfh.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: WSNBOfCAfh.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\WSNBOfCAfh.exe File read: C:\Users\user\Desktop\WSNBOfCAfh.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\WSNBOfCAfh.exe "C:\Users\user\Desktop\WSNBOfCAfh.exe"
Source: C:\Users\user\Desktop\WSNBOfCAfh.exe Process created: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp "C:\Users\user~1\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp" /SL5="$2042E,9552580,777216,C:\Users\user\Desktop\WSNBOfCAfh.exe"
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Process created: C:\Program Files (x86)\GU_2024\GU.exe "C:\Program Files (x86)\GU_2024\GU.exe"
Source: C:\Program Files (x86)\GU_2024\GU.exe Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\WSNBOfCAfh.exe Process created: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp "C:\Users\user~1\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp" /SL5="$2042E,9552580,777216,C:\Users\user\Desktop\WSNBOfCAfh.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Process created: C:\Program Files (x86)\GU_2024\GU.exe "C:\Program Files (x86)\GU_2024\GU.exe" Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 Jump to behavior
Source: C:\Users\user\Desktop\WSNBOfCAfh.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\WSNBOfCAfh.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\WSNBOfCAfh.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\WSNBOfCAfh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\WSNBOfCAfh.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: fontsub.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: GU 2024.lnk.2.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\GU_2024\GU.exe
Source: Uninstall GU 2024.lnk.2.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\GU_2024\unins000.exe
Source: C:\Program Files (x86)\GU_2024\GU.exe File written: C:\Users\user\settings\GU2024.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Window found: window name: TSelectLanguageForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Automated click: Install
Source: Window Recorder Window detected: More than 3 window changes detected
Source: WSNBOfCAfh.exe Static file information: File size 10395772 > 1048576
Source: WSNBOfCAfh.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: WSNBOfCAfh.exe Static PE information: section name: .didata
Source: WSNBOfCAfh.tmp.0.dr Static PE information: section name: .didata
Source: is-6RMLS.tmp.2.dr Static PE information: section name: .didata
Source: is-OH7O9.tmp.2.dr Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\GU_2024\GU.exe Code function: 6_2_00C61DEE push ecx; mov dword ptr [esp], edx 6_2_00C61DF1
Source: C:\Program Files (x86)\GU_2024\GU.exe Code function: 6_2_00C61D90 push ecx; mov dword ptr [esp], edx 6_2_00C61D91
Source: C:\Program Files (x86)\GU_2024\GU.exe Code function: 6_2_00C61D9C push ecx; mov dword ptr [esp], edx 6_2_00C61D9D
Source: C:\Program Files (x86)\GU_2024\GU.exe Code function: 6_2_00C61DA8 push ecx; mov dword ptr [esp], edx 6_2_00C61DA9
Source: C:\Program Files (x86)\GU_2024\GU.exe Code function: 6_2_00C61F40 push ecx; mov dword ptr [esp], edx 6_2_00C61F41
Source: C:\Program Files (x86)\GU_2024\GU.exe Code function: 6_2_00C61B68 push ecx; mov dword ptr [esp], edx 6_2_00C61B69
Source: C:\Program Files (x86)\GU_2024\GU.exe Code function: 6_2_00C61E14 push ecx; mov dword ptr [esp], edx 6_2_00C61E15
Source: C:\Program Files (x86)\GU_2024\GU.exe Code function: 6_2_00C61F28 push ecx; mov dword ptr [esp], edx 6_2_00C61F29
Source: C:\Program Files (x86)\GU_2024\GU.exe Code function: 6_2_00C61E36 push ecx; mov dword ptr [esp], edx 6_2_00C61E39
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp File created: C:\Program Files (x86)\GU_2024\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\WSNBOfCAfh.exe File created: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp File created: C:\Program Files (x86)\GU_2024\is-6RMLS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp File created: C:\Program Files (x86)\GU_2024\is-OH7O9.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp File created: C:\Program Files (x86)\GU_2024\GU.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp File created: C:\Users\user\AppData\Local\Temp\is-JH8JK.tmp\_isetup\_setup64.tmp Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GU_2024 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GU_2024\GU 2024.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GU_2024\Uninstall GU 2024.lnk Jump to behavior
Source: C:\Users\user\Desktop\WSNBOfCAfh.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WSNBOfCAfh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Dropped PE file which has not been started: C:\Program Files (x86)\GU_2024\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Dropped PE file which has not been started: C:\Program Files (x86)\GU_2024\is-6RMLS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JH8JK.tmp\_isetup\_setup64.tmp Jump to dropped file
Queries keyboard layouts
Source: C:\Program Files (x86)\GU_2024\GU.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809 Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809 Jump to behavior
Source: C:\Program Files (x86)\GU_2024\GU.exe Code function: 6_2_00C61A1C GetSystemInfo, 6_2_00C61A1C
Source: C:\Windows\splwow64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: WSNBOfCAfh.tmp, 00000002.00000003.1579485934.00000000009A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: WSNBOfCAfh.tmp, 00000002.00000003.1568353523.000000000582F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: e`c_OhgfSPRLHBLOSOOQUX]aXPS
Source: GU.exe, 00000006.00000002.2565034643.0000000000A82000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}HdK
Source: WSNBOfCAfh.tmp, 00000002.00000003.1568353523.000000000582F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: MNLLRQKQSY8RUTUXABNMWDB@?=<<??==258<50..35693/NZYYNHIICA><91.+0)-''!%**,/('&%)*FDNa?@BGIFHBLJKQTYMMOPPPRRTVW^^`_I?C>;9KKKKKKDFED>@D@=DGJJNRJMFKM><7<30>A44.734==BFGI>KOPJIJLLC@ABHHIHJLRP___`cccb`degVhhgfSlehjQSVUjnYN\^^`a_]`dbcbgdgfd
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Process information queried: ProcessInformation Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U1PO5.tmp\WSNBOfCAfh.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1426781 Sample: WSNBOfCAfh Startdate: 16/04/2024 Architecture: WINDOWS Score: 3 7 WSNBOfCAfh.exe 2 2->7         started        file3 17 C:\Users\user\AppData\...\WSNBOfCAfh.tmp, PE32 7->17 dropped 10 WSNBOfCAfh.tmp 20 29 7->10         started        process4 file5 19 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 10->19 dropped 21 C:\...\unins000.exe (copy), PE32 10->21 dropped 23 C:\Program Files (x86)behaviorgraphU_2024\is-OH7O9.tmp, PE32 10->23 dropped 25 2 other files (none is malicious) 10->25 dropped 13 GU.exe 3 10->13         started        process6 process7 15 splwow64.exe 1 13->15         started       
No contacted IP infos