Edit tour

Windows Analysis Report
RFQ_SRC02252017-pdf.scr.exe

Overview

General Information

Sample name:	RFQ_SRC02252017-pdf.scr.exe
Analysis ID:	1617166
MD5:	11f41ca243c031d073ca13d1aa0e9a29
SHA1:	ba4eb2a551a053f3f222ce0c5039e5b05cca880e
SHA256:	7a0f824a21b8f5d26bf8536e2f5958514b6975d54722418719c8e919734a3986
Tags:	exeuser-threatcat_ch
Infos:

Detection

GuLoader

Score:	96
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Increases the number of concurrent connection per server for Internet Explorer

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Sigma detected: New RUN Key Pointing to Suspicious Folder

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sigma detected: CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

RFQ_SRC02252017-pdf.scr.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe" MD5: 11F41CA243C031D073CA13D1AA0E9A29)

RFQ_SRC02252017-pdf.scr.exe (PID: 7988 cmdline: "C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe" MD5: 11F41CA243C031D073CA13D1AA0E9A29)

WerFault.exe (PID: 2084 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 2076 MD5: C31336C1EFC2CCB44B4326EA793040F2)

microminiaturise.exe (PID: 5808 cmdline: "C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe" MD5: 11F41CA243C031D073CA13D1AA0E9A29)

microminiaturise.exe (PID: 7608 cmdline: "C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe" MD5: 11F41CA243C031D073CA13D1AA0E9A29)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.2889128126.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
0000000A.00000002.2958990124.00000000022BB000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000000.00000002.2202302149.0000000005E9B000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000008.00000002.2890992868.0000000005D5B000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: microminiaturise.exe PID: 5808	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe, ProcessId: 7988, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Befolkningsgruppe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe, ProcessId: 7988, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Befolkningsgruppe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 10, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe, ProcessId: 7988, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-17T15:42:18.761377+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49784	38.108.185.115	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Virustotal: Detection: 37%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	ReversingLabs: Detection: 27%

Multi AV Scanner detection for submitted file

Source: RFQ_SRC02252017-pdf.scr.exe	Virustotal: Detection: 34%			Perma Link
Source: RFQ_SRC02252017-pdf.scr.exe	ReversingLabs: Detection: 27%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: RFQ_SRC02252017-pdf.scr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: unknown	HTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 38.108.185.69:443 -> 192.168.2.4:49790 version: TLS 1.2

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 0_2_00405FE2 FindFirstFileA,FindClose,	0_2_00405FE2
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 0_2_0040559E CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040559E
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 4_2_00402645 FindFirstFileA,	4_2_00402645
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 4_2_00405FE2 FindFirstFileA,FindClose,	4_2_00405FE2
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 4_2_0040559E CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	4_2_0040559E

Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: Joe Sandbox View

IP Address: 38.108.185.115 38.108.185.115

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49784 -> 38.108.185.115:443

Source: global traffic	HTTP traffic detected: GET /d/MzdfMzIyNjM2NDFf/DgaYM84.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /api/v1/download/file.json/MzdfMzIyNjM2NDFf?temp_key=%0E%06%983%CE%1B%8A&inline=0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: web.opendrive.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /d/MzdfMzIyNjM2NDFf/DgaYM84.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /api/v1/download/file.json/MzdfMzIyNjM2NDFf?temp_key=%0E%06%983%CE%1B%8A&inline=0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: web.opendrive.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: od.lk
Source: global traffic	DNS traffic detected: DNS query: web.opendrive.com

Source: RFQ_SRC02252017-pdf.scr.exe, microminiaturise.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: RFQ_SRC02252017-pdf.scr.exe, microminiaturise.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: RFQ_SRC02252017-pdf.scr.exe, 00000004.00000002.2546598591.00000000036E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://od.lk/
Source: RFQ_SRC02252017-pdf.scr.exe, 00000004.00000002.2546598591.00000000036A8000.00000004.00000020.00020000.00000000.sdmp, RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2372157701.00000000036F9000.00000004.00000020.00020000.00000000.sdmp, RFQ_SRC02252017-pdf.scr.exe, 00000004.00000002.2547161211.00000000051F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://od.lk/d/MzdfMzIyNjM2NDFf/DgaYM84.bin
Source: RFQ_SRC02252017-pdf.scr.exe, 00000004.00000002.2546598591.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2372157701.00000000036F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://od.lk/d/MzdfMzIyNjM2NDFf/DgaYM84.binR
Source: RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2338138993.000000000371A000.00000004.00000020.00020000.00000000.sdmp, RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2338138993.000000000373A000.00000004.00000020.00020000.00000000.sdmp, RFQ_SRC02252017-pdf.scr.exe, 00000004.00000002.2546726757.000000000373A000.00000004.00000020.00020000.00000000.sdmp, RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2350162207.000000000373A000.00000004.00000020.00020000.00000000.sdmp, RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2372191621.000000000373A000.00000004.00000020.00020000.00000000.sdmp, RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2372032853.000000000373A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.opendrive.com/
Source: RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2338138993.000000000371A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.opendrive.com/LMEM
Source: RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2338138993.000000000373A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.opendrive.com/Q
Source: RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2372032853.000000000373A000.00000004.00000020.00020000.00000000.sdmp, RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2372157701.0000000003700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.opendrive.com/api/v1/download/file.json/MzdfMzIyNjM2NDFf?temp_key=%0E%06%983%CE%1B%8A&in
Source: RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2338138993.000000000373A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.opendrive.com/i
Source: RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2338138993.000000000373A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.opendrive.com/y

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443

Source: unknown	HTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 38.108.185.69:443 -> 192.168.2.4:49790 version: TLS 1.2

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

Code function: 0_2_00405107 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405107

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: RFQ_SRC02252017-pdf.scr.exe

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 0_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_00403217
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 4_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		4_2_00403217

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 0_2_00404946	0_2_00404946
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 0_2_004062B8	0_2_004062B8
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 4_2_00404946	4_2_00404946
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 4_2_004062B8	4_2_004062B8

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nssC273.tmp\System.dll 75ED40311875312617D6711BAED0BE29FCAEE71031CA27A8D308A72B15A51E49

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

Code function: String function: 004029FD appears 49 times

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 2076

Source: RFQ_SRC02252017-pdf.scr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.phis.troj.evad.winEXE@7/22@2/2

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

Code function: 0_2_0040440A GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040440A

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

File created: C:\Program Files (x86)\Redwing.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7988

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

File created: C:\Users\user\AppData\Local\Temp\nswA836.tmp

Jump to behavior

Source: RFQ_SRC02252017-pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ_SRC02252017-pdf.scr.exe	Virustotal: Detection: 34%
Source: RFQ_SRC02252017-pdf.scr.exe	ReversingLabs: Detection: 27%

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

File read: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe "C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe"
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Process created: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe "C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe"
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 2076
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe "C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe"
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Process created: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe "C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe"
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Process created: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe "C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Process created: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe "C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

File written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Dandyens138.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000000A.00000002.2958990124.00000000022BB000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2202302149.0000000005E9B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2890992868.0000000005D5B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2889128126.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: microminiaturise.exe PID: 5808, type: MEMORYSTR

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

Code function: 0_2_00406009 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406009

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

Code function: 0_2_10002D40 push eax; ret

0_2_10002D6E

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\nsyACCD.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	File created: C:\Users\user\AppData\Local\Temp\nssC273.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\meike.Pri	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Casablanca.txt	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Dandyens138.ini	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\convenes.ini	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\guslee.lta	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\havearkitekts.jpg	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\inkasseringens.ini	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\konfronter.jpg	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\minirobot.uni	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\straksafskrivningerne.sak	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\unthrift.jpg	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Rhinskvinsglassets	Jump to behavior

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Befolkningsgruppe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Befolkningsgruppe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Befolkningsgruppe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Befolkningsgruppe	Jump to behavior

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	API/Special instruction interceptor: Address: 5EA7F49
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	API/Special instruction interceptor: Address: 22C7F49
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	API/Special instruction interceptor: Address: 5D67F49
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	API/Special instruction interceptor: Address: 22C7F49

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	RDTSC instruction interceptor: First address: 5E51EE9 second address: 5E51EE9 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 cmp esi, 27BA7437h 0x0000000a cmp ebx, ecx 0x0000000c jc 00007FEB54EE23ADh 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 test si, 78A6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	RDTSC instruction interceptor: First address: 2271EE9 second address: 2271EE9 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 cmp esi, 27BA7437h 0x0000000a cmp ebx, ecx 0x0000000c jc 00007FEB54785EBDh 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 test si, 78A6h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	RDTSC instruction interceptor: First address: 5D11EE9 second address: 5D11EE9 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 cmp esi, 27BA7437h 0x0000000a cmp ebx, ecx 0x0000000c jc 00007FEB54EE23ADh 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 test si, 78A6h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	RDTSC instruction interceptor: First address: 2271EE9 second address: 2271EE9 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 cmp esi, 27BA7437h 0x0000000a cmp ebx, ecx 0x0000000c jc 00007FEB54785EBDh 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 test si, 78A6h 0x00000015 rdtsc

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsyACCD.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nssC273.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe TID: 7184

Thread sleep count: 70 > 30

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 0_2_00405FE2 FindFirstFileA,FindClose,	0_2_00405FE2
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 0_2_0040559E CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040559E
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 4_2_00402645 FindFirstFileA,	4_2_00402645
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 4_2_00405FE2 FindFirstFileA,FindClose,	4_2_00405FE2
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Code function: 4_2_0040559E CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	4_2_0040559E

Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RFQ_SRC02252017-pdf.scr.exe, 00000004.00000002.2546598591.00000000036A8000.00000004.00000020.00020000.00000000.sdmp, RFQ_SRC02252017-pdf.scr.exe, 00000004.00000002.2546598591.0000000003700000.00000004.00000020.00020000.00000000.sdmp, RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2372157701.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: RFQ_SRC02252017-pdf.scr.exe, 00000004.00000002.2546598591.0000000003700000.00000004.00000020.00020000.00000000.sdmp, RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2372157701.0000000003700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWM
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	API call chain: ExitProcess graph end node			graph_0-4361
Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	API call chain: ExitProcess graph end node			graph_0-4521

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

Code function: 0_2_00406009 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406009

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe	Process created: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe "C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe	Process created: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe "C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe"			Jump to behavior

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

Code function: 0_2_00405D00 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405D00

Lowering of HIPS / PFW / Operating System Security Settings

Increases the number of concurrent connection per server for Internet Explorer

Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	11 Registry Run Keys / Startup Folder	11 Process Injection	3 Masquerading	OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 Endpoint Denial of Service
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ_SRC02252017-pdf.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
RFQ_SRC02252017-pdf.scr.exe