Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe
Analysis ID:	1617617
MD5:	32cb6ae82e91b97ac49e6df5412698a5
SHA1:	c1adc2d7d481fc1638676f7c87da93acd6e79318
SHA256:	3d29c1dac723e6cfea7beb14513bae42f49f5045f0ac8c9a604ff184045491dd
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

GuLoader

Score:	76
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Joe Sandbox ML detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe" MD5: 32CB6AE82E91B97AC49E6DF5412698A5)

SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe (PID: 7880 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe" MD5: 32CB6AE82E91B97AC49E6DF5412698A5)

WerFault.exe (PID: 8056 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7880 -s 1928 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2590367791.00000000021A9000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000000.00000002.2309623021.0000000005D19000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe PID: 7408	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T05:29:22.222978+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49787	142.250.186.142	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Virustotal: Detection: 20%			Perma Link
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	ReversingLabs: Detection: 18%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.186.142:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.212.129:443 -> 192.168.2.4:49796 version: TLS 1.2

Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000001.2299194571.0000000000649000.00000008.00000001.01000000.00000009.sdmp
Source:	Binary string: mshtml.pdbUGP source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000001.2299194571.0000000000649000.00000008.00000001.01000000.00000009.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Code function: 0_2_00405FFD FindFirstFileA,FindClose,	0_2_00405FFD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Code function: 0_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040559B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49787 -> 142.250.186.142:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1HW-z32VgdxHAatMJ2j1S3-3Si0CkkZFB HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1HW-z32VgdxHAatMJ2j1S3-3Si0CkkZFB&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1HW-z32VgdxHAatMJ2j1S3-3Si0CkkZFB HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1HW-z32VgdxHAatMJ2j1S3-3Si0CkkZFB&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000001.2299194571.0000000000649000.00000008.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000001.2299194571.00000000005F2000.00000008.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000001.2299194571.00000000005F2000.00000008.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000003.2386011859.00000000044FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000002.2593512147.0000000004488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/R:c
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000002.2593512147.0000000004488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/r:C
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000002.2593512147.00000000044C3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000002.2593512147.0000000004488000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000002.2593863216.0000000004720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1HW-z32VgdxHAatMJ2j1S3-3Si0CkkZFB
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000002.2593512147.0000000004488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1HW-z32VgdxHAatMJ2j1S3-3Si0CkkZFBl0
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000003.2422381970.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000003.2423017687.00000000044FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000002.2593660655.00000000044FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000002.2593660655.00000000044FC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000003.2386011859.00000000044FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1HW-z32VgdxHAatMJ2j1S3-3Si0CkkZFB&export=download
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000003.2422381970.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000003.2423017687.00000000044FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000002.2593660655.00000000044FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1HW-z32VgdxHAatMJ2j1S3-3Si0CkkZFB&export=downloadn.
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000001.2299194571.0000000000649000.00000008.00000001.01000000.00000009.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000003.2386011859.00000000044FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000003.2386011859.00000000044FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000003.2386011859.00000000044FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000003.2386011859.00000000044FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000003.2386011859.00000000044FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443

Source: unknown	HTTPS traffic detected: 142.250.186.142:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.212.129:443 -> 192.168.2.4:49796 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Code function: 0_2_00405050 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405050

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Code function: 0_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004030D9

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Code function: 0_2_00406344		0_2_00406344
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Code function: 0_2_0040488F		0_2_0040488F

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7880 -s 1928

Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000000.00000000.1837812609.0000000000436000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameundfangelsen resurceanvendelser.exeDVarFileInfo$ vs SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000000.2296549764.0000000000436000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameundfangelsen resurceanvendelser.exeDVarFileInfo$ vs SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000002.2593927021.0000000005F50000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Binary or memory string: OriginalFilenameundfangelsen resurceanvendelser.exeDVarFileInfo$ vs SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.troj.evad.winEXE@4/30@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

0_2_004030D9

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Code function: 0_2_0040431C GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040431C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Code function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,

0_2_0040205E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

File created: C:\Users\user\Slutafregningers175

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7880

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

File created: C:\Users\user\AppData\Local\Temp\nsr9629.tmp

Jump to behavior

Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Virustotal: Detection: 20%
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7880 -s 1928
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

File written: C:\Users\user\Slutafregningers175\ammunitionsfabrikkers\Enculturating.ini

Jump to behavior

Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000001.2299194571.0000000000649000.00000008.00000001.01000000.00000009.sdmp
Source:	Binary string: mshtml.pdbUGP source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000001.2299194571.0000000000649000.00000008.00000001.01000000.00000009.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: 00000004.00000002.2590367791.00000000021A9000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2309623021.0000000005D19000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Code function: 0_2_10002D20 push eax; ret

0_2_10002D4E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

File created: C:\Users\user\AppData\Local\Temp\nsrA3C7.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	API/Special instruction interceptor: Address: 5EF9C35
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	API/Special instruction interceptor: Address: 2389C35

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	RDTSC instruction interceptor: First address: 5E97B8C second address: 5E97B8C instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F3568E1487Fh 0x00000006 cmp bl, cl 0x00000008 inc ebp 0x00000009 test edx, 2A835423h 0x0000000f inc ebx 0x00000010 test cx, ax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	RDTSC instruction interceptor: First address: 2327B8C second address: 2327B8C instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F35687BF83Fh 0x00000006 cmp bl, cl 0x00000008 inc ebp 0x00000009 test edx, 2A835423h 0x0000000f inc ebx 0x00000010 test cx, ax 0x00000013 rdtsc

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrA3C7.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Code function: 0_2_00405FFD FindFirstFileA,FindClose,	0_2_00405FFD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Code function: 0_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040559B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Code function: 0_2_00402688 FindFirstFileA,	0_2_00402688

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000002.2593512147.00000000044E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000002.2593512147.0000000004488000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000002.2593512147.00000000044E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWY
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000000.00000002.2303550043.0000000000478000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\3B
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	API call chain: ExitProcess graph end node			graph_0-4746
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	API call chain: ExitProcess graph end node			graph_0-4749

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_10001A5D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Code function: 0_2_00405D1B GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405D1B

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	21%	Virustotal		Browse
SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	19%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsrA3C7.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsrA3C7.tmp\System.dll	1%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.250.186.142	true	false		high
drive.usercontent.google.com	216.58.212.129	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000001.2299194571.00000000005F2000.00000008.00000001.01000000.00000009.sdmp	false	high
https://www.google.com	SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000003.2386011859.00000000044FC000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.ftp.ftp://ftp.gopher.	SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000001.2299194571.0000000000649000.00000008.00000001.01000000.00000009.sdmp	false	high
https://drive.google.com/r:C	SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000002.2593512147.0000000004488000.00000004.00000020.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000003.2422381970.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000003.2423017687.00000000044FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000002.2593660655.00000000044FC000.00000004.00000020.00020000.00000000.sdmp	false	high
http://upx.sf.net	Amcache.hve.7.dr	false	high
https://drive.google.com/R:c	SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000002.2593512147.0000000004488000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000001.2299194571.00000000005F2000.00000008.00000001.01000000.00000009.sdmp	false	high
http://nsis.sf.net/NSIS_Error	SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	false	high
https://apis.google.com	SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000003.2386011859.00000000044FC000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe	false	high
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe, 00000004.00000001.2299194571.0000000000649000.00000008.00000001.01000000.00000009.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.186.142	drive.google.com	United States		15169	GOOGLEUS	false
216.58.212.129	drive.usercontent.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1617617
Start date and time:	2025-02-18 05:27:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@4/30@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 83% Number of executed functions: 55 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 4.245.163.56, 13.107.246.45, 20.190.160.22
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
23:29:42	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	1638743478-734687553.8.exe	Get hash	malicious	Unknown	Browse	142.250.186.142 216.58.212.129
	rJustificante67.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	142.250.186.142 216.58.212.129
	rJustificante67.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.142 216.58.212.129
	SecuriteInfo.com.W32.PossibleThreat.6050.24821.exe	Get hash	malicious	Unknown	Browse	142.250.186.142 216.58.212.129
	SecuriteInfo.com.Win32.Trojan-Downloader.GuLoader.QAKJ8V.27372.733.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.142 216.58.212.129
	SecuriteInfo.com.W32.PossibleThreat.6050.24821.exe	Get hash	malicious	Unknown	Browse	142.250.186.142 216.58.212.129
	ZIOpctBE0o.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	142.250.186.142 216.58.212.129
	RFQ_SRC02252017-pdf.scr.exe	Get hash	malicious	GuLoader	Browse	142.250.186.142 216.58.212.129
	RFQ_SRC02252017-pdf.scr.exe	Get hash	malicious	GuLoader	Browse	142.250.186.142 216.58.212.129
	Nonmerchantable.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.142 216.58.212.129

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsrA3C7.tmp\System.dll	SecuriteInfo.com.Win32.Trojan-Downloader.GuLoader.QAKJ8V.27372.733.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	rquotation.exe	Get hash	malicious	Remcos, GuLoader	Browse
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	z1QuotationSheetVSAA6656776.exe	Get hash	malicious	GuLoader	Browse
	CdB3FZ9vyI.exe	Get hash	malicious	Unknown	Browse
	z65PurchaseOrderNo_0072024_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	z65PurchaseOrderNo_0072024_pdf.exe	Get hash	malicious	GuLoader	Browse
	Nondesistance.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Nondesistance.exe	Get hash	malicious	GuLoader	Browse
	Platosammine.exe	Get hash	malicious	FormBook, GuLoader	Browse

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0567155011220382
Encrypted:	false
SSDEEP:	384:8lzS9mylWuEBU/efljTzuiFBY4IO8KG7:SzWmyLEBU/efljTzuiFBY4IO8KG
MD5:	D7C86A9D0535D5EB8160A07E99660AB1
SHA1:	9BFDD793470DEA8881F529504BE55D24284BA6D8
SHA-256:	8FF3B6834F1A1A9260DFB5B5C976077020E269A8E0E3935A1538F57B706D280F
SHA-512:	0185D16F318A1CDE580DAFC4F1D61613799CFA70A7E185C363333484D9DE0134ADA6337B749A8736CDAAFBD93DEF1996897082A7600E5384847132F3DF21E334
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.4.3.2.6.5.6.6.3.6.3.1.8.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.4.3.2.6.5.6.6.8.0.0.6.8.3.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.5.9.e.9.3.0.9.-.0.3.7.b.-.4.e.8.d.-.9.0.b.0.-.d.6.1.5.4.6.b.8.8.d.d.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.5.f.a.c.a.a.1.-.9.c.f.4.-.4.7.e.7.-.b.a.d.6.-.4.8.8.e.b.a.4.2.5.5.7.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...E.v.o.-.g.e.n...2.6.1.3.7...1.9.7.5.7...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.u.n.d.f.a.n.g.e.l.s.e.n. .r.e.s.u.r.c.e.a.n.v.e.n.d.e.l.s.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.c.8.-.0.0.0.1.-.0.0.1.4.-.f.0.f.9.-.6.6.a.9.b.d.8.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.0.e.3.e.b.5.2.3.d.c.5.b.4.8.c.f.7.3.f.1.f.b.5.b.

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.628848957968553
Encrypted:	false
SSDEEP:	3:YOm45GXQLQIfLBJXmgxv:5TGXQkIP2I
MD5:	B895D576D6637A778B387B2FCA0F56EC
SHA1:	E78D2BE4D94673D612C16D29C330BB0C78778429
SHA-256:	BFEC1E97ED5D34825521D60B98986D1564CD159B4D1F9569EAE4C3464D2F5C47
SHA-512:	B4A771D1B517A2776BA440F79F168306C244DF1A6DE1966313157154D8D52BEAD8131B95F846C2F55C15382E04284FFFC6CF6ABF3F6FCFCB259DF2EA58D769E5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Current]..Ini=user32::EnumWindows(i r1 ,i 0)..

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.951120046834256
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe
File size:	656'403 bytes
MD5:	32cb6ae82e91b97ac49e6df5412698a5
SHA1:	c1adc2d7d481fc1638676f7c87da93acd6e79318
SHA256:	3d29c1dac723e6cfea7beb14513bae42f49f5045f0ac8c9a604ff184045491dd
SHA512:	671ea9d45c21beeaece5f054c4fe9e67b1e20c62e05eb18c3fb00d47d988a40102b493c5c719e683804d71f48145e29c60898340b83ca9b4ec24d90ebeacbfb5
SSDEEP:	12288:1LVWnRxjpAholCSH+4l+JQtiJ7va2gsxytb0OmL2H8tEB2Ly6:1Lc/jp0ol7i+iNWsxZOmq8KALH
TLSH:	A5D4235596574A37FA62047015B2D133CBF0AD13763E231B33C26FBF3931AA5C99A226
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L....z.W.................^.........

Entrypoint:	0x4030d9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57017AA7 [Sun Apr 3 20:18:47 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b78ecf47c0a3e24a6f4af114e2d1f5de

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x36000	0x4748	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c5b	0x5e00	3d4c7426917ca8533fbfc9cd63e19ba3	False	0.6603640292553191	data	6.411487375491561	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1246	0x1400	43fab6a80651bd97af8f34ecf44cd8ac	False	0.42734375	data	5.005029341587408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a7f8	0x400	00798d060e552892531c88ed1710ae2c	False	0.6376953125	data	5.108396988130901	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x12000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x36000	0x4748	0x4800	aee2d632d6be6526458f55449bbb7ed1	False	0.5030924479166666	data	4.610743128074616	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x36298	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.512655601659751
RT_ICON	0x38840	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5295497185741088
RT_ICON	0x398e8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6391843971631206
RT_DIALOG	0x39d50	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x39e98	0x100	data	English	United States	0.5234375
RT_DIALOG	0x39f98	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0x3a0b8	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x3a180	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3a1e0	0x30	data	English	United States	0.8333333333333334
RT_VERSION	0x3a210	0x1f4	data	English	United States	0.552
RT_MANIFEST	0x3a408	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States	0.5540865384615384

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Description	Data
Comments	becut megalichthys
LegalTrademarks	flamboyantizes kiksets rakkeren
OriginalFilename	undfangelsen resurceanvendelser.exe
Translation	0x0409 0x04e4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 18, 2025 05:29:21.147430897 CET	64415	53	192.168.2.4	1.1.1.1
Feb 18, 2025 05:29:21.154531002 CET	53	64415	1.1.1.1	192.168.2.4
Feb 18, 2025 05:29:22.289282084 CET	50537	53	192.168.2.4	1.1.1.1
Feb 18, 2025 05:29:22.299707890 CET	53	50537	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2025-02-18 04:29:21 UTC	216	OUT	GET /uc?export=download&id=1HW-z32VgdxHAatMJ2j1S3-3Si0CkkZFB HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: drive.google.com Cache-Control: no-cache
2025-02-18 04:29:22 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 18 Feb 2025 04:29:22 GMT Location: https://drive.usercontent.google.com/download?id=1HW-z32VgdxHAatMJ2j1S3-3Si0CkkZFB&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-rSqzu9xJ20sTG6LY9NXMdQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-02-18 04:29:22 UTC	258	OUT	GET /download?id=1HW-z32VgdxHAatMJ2j1S3-3Si0CkkZFB&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2025-02-18 04:29:25 UTC	5014	IN	HTTP/1.1 200 OK X-GUploader-UploadID: AHMx-iGgXDe9_A5-BTEyc1_ty-CZODMx7cL2afolDYKtsu3J4YDsFmt_xdRVN5f78TGN0ZXacrutjLg Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="NhLbyJ0.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 208448 Last-Modified: Tue, 18 Feb 2025 00:54:16 GMT Date: Tue, 18 Feb 2025 04:29:25 GMT Expires: Tue, 18 Feb 2025 04:29:25 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=ydsSEA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-02-18 04:29:25 UTC	5014	IN	Data Raw: 3d eb 9e ed 4d 32 b0 47 9c da a4 d7 4b 7d 05 59 30 08 64 7c b0 2b a4 40 c8 86 86 3e 77 68 cd 49 3b 04 20 02 b2 38 d0 26 c8 dd d2 07 62 84 4d b2 76 74 51 73 ef 7b 9f bd 84 75 64 f4 2a d5 7e af 46 68 67 9e a3 09 a5 1e 1b c3 87 90 86 66 91 e2 fe 37 42 de 01 89 17 89 78 92 49 3e 47 e7 f7 88 4b 8f 3b fd 00 cc 19 57 91 01 67 50 53 9b 6f b1 54 cd 49 30 3b 5b 7e 48 9b 2e b7 ab 71 c6 5b 1c 64 b3 da 10 57 97 d5 75 68 af 2c 07 c0 d4 18 00 40 d0 e8 39 18 71 d7 27 71 ff 46 4d db 79 49 41 4e f8 39 59 bf cc 5a 98 be 18 64 61 80 39 77 67 bf ed 8f 3f 2c 6d 51 ab d6 43 74 e7 a8 70 b6 ca ff e6 c1 d5 73 67 da 5e 7e 98 0b 7d c4 39 f8 af 3d c0 0c 64 5c f9 35 6b 77 4b 71 c1 35 48 1a 8c 08 43 03 d4 8e 89 0e f5 33 a0 4a da f8 24 d7 63 43 0d 66 07 dd fd d9 aa 5c 57 c9 d2 c8 e4 ff Data Ascii: =M2GK}Y0d\|+@>whI; 8&bMvtQs{ud*~Fhgf7BxI>GK;WgPSoTI0;[~H.q[dWuh,@9q'qFMyIAN9YZda9wg?,mQCtpsg^~}9=d\5kwKq5HC3J$cCf\W
2025-02-18 04:29:25 UTC	4668	IN	Data Raw: cd f0 8a 9f 08 be 8d 3c 48 74 cb e1 7e 02 41 9e 22 0d 60 69 30 52 ef ae 42 50 de 77 80 0e c1 ca 62 d0 25 1c b4 7b 44 5e e9 91 8e bc cd dd a7 79 70 1c ad 08 ed f2 86 08 a6 29 a1 8f 49 30 e0 6b ad cd a8 28 35 e2 4a 47 00 42 b7 b8 b6 1f f6 73 75 1d 9c a2 9d 8b 65 89 1f 0d 82 b1 30 5f 01 7a c7 e4 b9 fb 74 03 9a 0d 14 2d aa 6c 4b 17 48 8c 4b 37 1c 12 1d 17 f8 b7 a2 95 5c 6c 42 b0 9f f6 e5 34 63 8e 82 66 d8 df 35 68 40 c8 c4 e8 b5 21 a8 3a 5f e6 bf df 91 cb 44 10 69 db 3e fa 6a 87 e3 91 91 1a ef d0 d8 5f c3 0a 62 8a 7f 88 27 2b 0f b7 98 ea 62 4f ff 06 d8 58 d7 c1 4c 08 ff a8 d1 3e ad b3 16 d7 06 58 c2 2a 8b 12 6b 18 ec 7d 8f 3a 4e 8c 08 54 d5 4f 0f 5a dc 48 b1 36 0f d5 ae b3 f9 bc 66 93 b5 14 ff f6 a6 0c 68 2b 7f d2 88 f7 94 79 83 bb d0 b0 0e 08 6e 29 4a 87 f2 Data Ascii: <Ht~A"`i0RBPwb%{D^yp)I0k(5JGBsue0_zt-lKHK7\lB4cf5h@!:_Di>j_b'+bOXL>X*k}:NTOZH6fh+yn)J
2025-02-18 04:29:25 UTC	1324	IN	Data Raw: 04 20 15 23 d0 48 54 6e 9d 98 d0 a6 60 ac 95 13 07 d8 3d 89 63 3a c0 4d e9 c9 a8 5d b3 4b 31 72 1c c5 5f 9b de 42 26 33 5f 3b 1d fa 1b e3 c2 60 41 d0 35 52 bd c6 8d 08 ba e8 8b 1e 4e 27 d1 46 44 58 24 32 37 58 64 d0 6c b6 be b1 7d 15 e4 d4 5a 14 28 db 63 5d 15 e8 48 99 91 13 59 72 1a 63 88 0c f7 36 df b4 9b 12 5f 79 62 9c 24 e8 aa e1 38 27 33 ff 7c db 5b 27 99 f1 d1 bd e2 c3 f2 3b a8 37 51 ae 00 9d 27 a5 89 90 9a 52 a2 1c ae ff 33 27 54 e7 37 64 74 1f bb 4e 58 12 0b da 4d a9 04 bf 21 06 6d dd 01 2f 16 95 fe ce 63 5a ff 81 e3 e2 61 2a 75 c2 13 35 8c 9d 31 62 9a 0a 3d 54 cd 69 c2 2f c3 c0 eb 70 79 ce e8 bc ce 01 d8 4c d5 df 3b 44 de 4a 15 12 84 d5 3e 61 07 05 59 b7 00 91 63 0d f6 92 49 21 5c 52 d1 22 61 a0 83 00 ea f0 77 75 bd f4 42 fc d2 03 30 8c f5 d7 6d Data Ascii: #HTn`=c:M]K1r_B&3_;`A5RN'FDX$27Xdl}Z(c]HYrc6_yb$8'3\|[';7Q'R3'T7dtNXM!m/cZa*u51b=Ti/pyL;DJ>aYcI!\R"awuB0m
2025-02-18 04:29:25 UTC	1390	IN	Data Raw: ac 01 11 f6 ee c0 bd 48 8c ed 24 e5 65 84 26 93 06 07 1c 0e 08 53 a2 ae fa ac a0 48 eb b1 bb dc 83 7d 95 b0 fe ee 84 e7 de 76 e4 b6 79 22 fe 9e f6 ad 94 b5 6f 99 07 fd 66 72 ed 87 3d 41 82 9a 0d 24 82 59 3d 55 e1 ff 5b 9a d3 2c 29 8a 59 1b c1 7a f3 9d 1b cb 3a 12 08 73 e3 64 cc 81 b7 90 48 9d 70 2c 35 aa 79 d2 24 fc dc ca f0 eb 50 df d2 64 27 d4 7f ff 3c 3a 5b b0 da ec 6c 11 c6 ad 6e 96 66 f8 8b 4d c4 3f e8 03 c8 74 bf 14 2b 0e ae 62 e5 e4 9b cc 64 07 bd fd d6 57 03 0e 77 de 3b 2f c0 9e 11 8b e2 93 bf a3 46 74 f9 ec ff 21 41 f8 ac c5 57 72 0f 67 3c 07 d3 a7 6b 06 41 7f fd bc 8f d2 37 37 fc fa 22 57 26 da c0 fd 37 ae ce 4e 5c 25 5a 33 ab 75 86 c5 8e 58 6f 7d 0f bb 51 09 78 30 2a 96 d1 d1 ed 16 4f 37 23 5e 28 fc 17 eb 14 2b ef b8 51 3e 22 a0 16 e4 40 d7 9f Data Ascii: H$e&SH}vy"ofr=A$Y=U[,)Yz:sdHp,5y$Pd'<:[lnfM?t+bdWw;/Ft!AWrg<kA77"W&7N\%Z3uXo}Qx0*O7#^(+Q>"@
2025-02-18 04:29:25 UTC	1390	IN	Data Raw: 01 04 ea 9f 6d 48 a8 22 e0 bd 2e e7 cd d9 73 ed 44 24 d4 5d ea 4f 08 ea c2 e6 58 4e 52 69 4f 43 0c 05 5c c7 ed d8 30 74 ca 2e 2a c2 17 a2 f0 c4 2d 43 9a f1 97 89 e4 08 d5 89 43 e9 3a c6 2c 3b 73 6e af 32 e2 a1 61 da c0 14 ba 33 c3 ff 3f c9 6d e3 39 68 38 10 39 f6 9a df 81 83 50 51 51 99 b6 10 26 34 ce a8 9d 8f 3f 47 6c 2d 71 b9 61 6b ef c0 ab 8c c3 69 80 25 1b b4 83 95 3a 9f 6f 59 68 6c e5 57 0e f4 b4 2d ec 2a 2d 27 ab 1e 23 2b 21 f6 93 39 27 9d 86 ee 2d a1 2f ee a0 69 45 da c1 a1 e4 d8 1b c1 04 94 cb ba 95 4c 6a d7 97 b5 92 d5 2a 77 0b 87 36 b3 ab 50 6e 10 c1 16 89 3e 3a e8 dc e3 c3 e6 0f 55 91 ee 06 d0 c0 c4 48 d4 24 c0 5f 7d a8 d2 da e6 6f 63 5c 60 6f 57 bd fc b7 37 a4 b3 08 9d c7 e2 7d 59 02 87 69 cb d0 08 1b ea ec 6c 9d d7 4d 91 ac 53 ef 42 b2 17 9f Data Ascii: mH".sD$]OXNRiOC\0t.-CC:,;sn2a3?m9h89PQQ&4?Gl-qaki%:oYhlW--'#+!9'-/iELj*w6Pn>:UH$_}oc\`oW7}YilMSB
2025-02-18 04:29:25 UTC	1390	IN	Data Raw: 8d d9 39 41 10 ca ef 43 2b d5 7b 83 d8 5c 82 92 0e 15 c1 85 6e 7a 60 8b 2d f0 88 8a 32 31 ce f6 b1 2c 73 75 d0 42 17 97 23 0b 5d e8 12 9a 52 af 6b 8d 49 d0 ce b4 dc f9 0a 18 3e ec 54 da 93 bf 85 02 d8 c7 01 d0 03 9b fb 70 dc ce ea e3 ae 07 a6 54 ef b0 c5 fe d4 1a 97 9c a3 2d 3c cc 8e 07 c2 62 c5 85 56 4c 49 54 29 42 f5 ed 47 e0 1b b8 c0 d8 82 f9 48 cb ef 0d bc 2e 72 a5 6d c6 b0 f1 fb d2 54 26 c3 99 bf 86 c4 c0 b4 a7 05 d1 44 a8 74 8b fa e4 f5 33 c9 d9 39 46 b4 bf e7 ec 61 a0 2d f3 68 12 c3 ac 14 e6 76 32 c6 8b f2 25 3e b0 f4 c5 c6 53 b1 0c b4 09 b6 74 c4 92 3e 04 38 b3 17 dc a9 3f 4b be 56 82 2f 2c ae fc 77 e3 60 b4 85 9f 8b 04 7a 17 42 69 ff 34 1c c1 51 d3 f8 50 da e8 a9 6d 9f 37 6f 09 4c 6c be e4 34 50 f9 a2 08 73 ee fc 03 c5 5f 19 30 c5 f7 b1 37 3b 2a Data Ascii: 9AC+{\nz`-21,suB#]RkI>TpT-<bVLIT)BGH.rmT&Dt39Fa-hv2%>St>8?KV/,w`zBi4QPm7oLl4Ps_07;*
2025-02-18 04:29:25 UTC	1390	IN	Data Raw: 86 d1 91 b5 37 0e d7 e1 9a 43 02 c5 a3 10 8d ad 24 3c 2b bd 3c 76 85 1b 6a 77 53 71 9b f4 d2 f8 c0 25 6b 76 f4 44 58 65 db 8c 14 60 e3 0f 7e 4c b6 d5 ad f7 81 d9 62 e6 25 5c 92 b0 36 85 2b c3 58 b1 3a db 83 ba 07 4d f6 14 11 d5 04 94 b4 28 9d d2 61 94 9f 54 bd 4f 17 ac 6a 8f d0 f6 21 10 63 f8 18 a9 66 33 ad e4 8f f5 e4 e1 3f 4e 03 41 89 71 64 37 27 84 cf 33 db 91 27 74 f1 92 d5 c1 11 09 68 23 22 02 ef 4b 40 4f 21 fe 90 cf f8 bf 0c 6b a1 e1 90 50 c7 68 13 66 8e 0d e3 ef 8a be 9f 90 af 28 bb 98 5c 2b 1e e5 f4 b2 53 39 ec cb dd a8 4e 70 49 2e f9 5b 3d be d2 d6 de 53 b8 4e 0b 09 36 e9 f5 82 2b 96 1f c3 87 ab b2 ed 81 61 bf 34 36 ce 8a 4b 9c 77 d0 e9 bf c1 b8 0c e5 0b b2 8c 4e ed 3b 09 6c 5b c3 e9 ad a7 ac 64 ec 75 50 44 0f 50 b0 1d 1e cb 63 2b c0 b5 a8 68 d3 Data Ascii: 7C$<+<vjwSq%kvDXe`~Lb%\6+X:M(aTOj!cf3?NAqd7'3'th#"K@O!kPhf(\+S9NpI.[=SN6+a46KwN;l[duPDPc+h
2025-02-18 04:29:25 UTC	1390	IN	Data Raw: bf cc 3e b1 fb 74 62 87 66 ed 23 08 2a af 73 1b aa 95 a4 5f 75 4d a6 e9 a5 fb 74 88 d9 9e ce 1c bc 29 1a c9 56 48 6f 77 e3 08 8a 29 09 65 68 e9 f1 db 9e 3d c9 f2 b8 0e 71 1e c8 27 d8 56 f2 af a8 b3 48 e7 02 24 52 cc 4e b7 65 c6 05 aa 57 bf e1 56 aa de 27 dd bc 52 9e cc 13 0a 17 f0 bf 92 af f4 c5 53 ec 1a 96 30 70 13 ce cd 9f 3e dd 0d 44 38 69 3f e5 6e ae db 9a a2 2e 92 22 61 63 d4 fe 39 d4 c3 2b 39 ab 82 3f 6e 68 48 e6 11 23 1f f8 75 cf 7b 37 d5 9c df c6 8d 44 f3 6e 97 46 8f 25 7d e1 77 62 dc 30 44 da 9a 86 c0 46 59 6a 4b 13 a0 26 9a f9 65 97 d0 51 da 1e 65 cb 22 f9 65 80 2e 83 8d 6d 9f 8f 58 4c 73 de e2 27 f6 13 4b 2c cf 4b ff 94 eb 67 9f 53 9b ab cc 84 98 ce b2 50 7f 64 c4 26 da a9 67 24 37 4d 73 42 b8 c1 79 ff aa 95 8a 5f 83 9e 7b d2 d4 db 43 92 5f d7 Data Ascii: >tbf#*s_uMt)VHow)eh=q'VH$RNeWV'RS0p>D8i?n."ac9+9?nhH#u{7DnF%}wb0DFYjK&eQe"e.mXLs'K,KgSPd&g$7MsBy_{C_
2025-02-18 04:29:25 UTC	1390	IN	Data Raw: 8a b6 6c c0 48 f2 89 66 45 97 06 57 5b 11 93 35 de 2c c2 b4 c0 8c 2f 0e 5a 40 66 01 93 99 3f 49 78 30 8d 49 6a 4f c3 c8 4c 0d 71 67 de 49 13 bb c8 77 18 32 36 77 a8 40 2d fb ca 01 89 86 b3 3f 8f 85 36 45 7f 15 3d 64 4a 41 9d d0 66 6f 2b 71 1d df 82 36 69 c8 ee 2b 8c 5e 52 ec 30 a2 9e 94 d4 71 00 6f b2 7c 8b 04 ef 93 80 04 0c 66 38 30 e9 13 7b a3 9a 94 62 d0 eb aa 8b 03 63 c9 7c bf 8e e3 8b 31 b8 14 02 fe fb da 96 b9 28 52 de 2b 50 2e 03 1a 52 b1 e1 a5 0a 85 26 eb 11 6f 28 23 95 34 cf 7a 35 d5 35 d6 11 f3 12 8d b8 8b 65 27 a5 0d e5 9e cf 37 f5 ac 5f f8 a9 e3 95 a5 c6 ec e3 f8 f9 18 33 5a bf bc 03 02 68 92 50 1b 26 d9 22 1a 1a 87 11 1c b3 6a 57 2d ae cc 2f 7c 2f 50 a0 13 ed 05 9e 39 93 1d 72 49 d3 64 5c 43 47 a1 a9 5a dc 9e 04 4e cf 2e 2c 28 93 7c 2c 7a 46 Data Ascii: lHfEW[5,/Z@f?Ix0IjOLqgIw26w@-?6E=dJAfo+q6i+^R0qo\|f80{bc\|1(R+P.R&o(#4z55e'7_3ZhP&"jW-/\|/P9rId\CGZN.,(\|,zF
2025-02-18 04:29:25 UTC	1390	IN	Data Raw: b1 76 f0 ff 9a eb 85 0b af 49 b8 81 13 73 15 c4 8b cc 25 e3 60 9c 48 e5 fa e6 ce 90 7d 7f 96 5f a6 f7 53 af 16 31 9e 19 76 d5 c9 bf 80 f8 27 44 e7 3f de 35 a8 7a 3a 40 1a 3f c6 5c 54 97 b6 69 3e e4 1e 69 80 42 5c ff 1a 47 5e 16 93 dc 9e 52 29 7a b6 21 06 bf ae 3e 62 9a 0a 7a cc 25 e2 a3 35 af 54 30 ad 77 49 10 f0 6b 26 cb d9 d1 c7 1e 43 de fe b8 5a 25 0c 73 21 a8 24 4a b6 3a e4 76 8e b4 61 49 d0 b8 d0 a8 72 38 bf fe ba 68 69 82 8a c9 87 05 3c 15 f4 0f 4f bd 2a 3a fb b5 5f fa 65 06 68 52 02 46 0d 79 5a 80 e5 7e 93 8c 41 1e ed a1 03 df 5e a6 9c 7a 47 b1 48 27 42 c5 f5 79 3b 56 97 b1 58 97 22 2b e8 59 51 15 17 14 f2 fa 45 77 73 74 a0 03 66 33 7e b0 5f d0 7d 03 b8 a6 3b f5 22 3b ff c7 51 ca aa 1b 07 b5 47 7f 54 05 45 85 37 07 fc a4 fc 8e 1f 31 4a 00 bc 57 7c Data Ascii: vIs%`H}_S1v'D?5z:@?\Ti>iB\G^R)z!>bz%5T0wIk&CZ%s!$J:vaIr8hi<O*:_ehRFyZ~A^zGH'By;VX"+YQEwstf3~_};";QGTE71JW\|

Target ID:	0
Start time:	23:28:26
Start date:	17/02/2025
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe"
Imagebase:	0x400000
File size:	656'403 bytes
MD5 hash:	32CB6AE82E91B97AC49E6DF5412698A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2309623021.0000000005D19000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	23:29:12
Start date:	17/02/2025
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe"
Imagebase:	0x400000
File size:	656'403 bytes
MD5 hash:	32CB6AE82E91B97AC49E6DF5412698A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.2590367791.00000000021A9000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	23:29:26
Start date:	17/02/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7880 -s 1928
Imagebase:	0x470000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_dea5f4cbbede997debaeaf9f2b4a67da6214122_f62e02de_859e9309-037b-4e8d-90b0-d61546b88dd4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E08.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7EF4.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F24.tmp.xml

C:\Users\user\AppData\Local\Temp\Alpha.ini

C:\Users\user\AppData\Local\Temp\nsdA763.tmp

C:\Users\user\AppData\Local\Temp\nse9BE7.tmp

C:\Users\user\AppData\Local\Temp\nsrA3C7.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsrAFE1.tmp

C:\Users\user\AppData\Local\Temp\nsxA436.tmp

C:\Users\user\AppData\Local\Temp\nszAA52.tmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Helveders.ini

C:\Users\user\Slutafregningers175\ammunitionsfabrikkers\Enculturating.ini

C:\Users\user\Slutafregningers175\ammunitionsfabrikkers\Innaturally.Adr

C:\Users\user\Slutafregningers175\ammunitionsfabrikkers\Jaspoid\Sfarer248.rgs

C:\Users\user\Slutafregningers175\ammunitionsfabrikkers\Jaspoid\Snorelofts.sam

C:\Users\user\Slutafregningers175\ammunitionsfabrikkers\Jaspoid\Svanehalsens40.ini

C:\Users\user\Slutafregningers175\ammunitionsfabrikkers\Jaspoid\aeroenterectasia.txt

C:\Users\user\Slutafregningers175\ammunitionsfabrikkers\Jaspoid\bovnende.ini

Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.26137.19757.exe