Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
15Er6ACahF.exe

Overview

General Information

Sample name:15Er6ACahF.exe
renamed because original name is a hash value
Original sample name:76fe569a0452a49e3101eb393e0c871faee725269b3a512c6f3f27e21b27e2e8.exe
Analysis ID:1631809
MD5:101069a235a97ccc62948b1b41dc81d3
SHA1:c86fa56f0213bb7ffb58f765a778f75c1ba27211
SHA256:76fe569a0452a49e3101eb393e0c871faee725269b3a512c6f3f27e21b27e2e8
Tags:exeuser-adrian__luca
Infos:

Detection

GuLoader
Score:68
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • 15Er6ACahF.exe (PID: 772 cmdline: "C:\Users\user\Desktop\15Er6ACahF.exe" MD5: 101069A235A97CCC62948B1B41DC81D3)
    • 15Er6ACahF.exe (PID: 7584 cmdline: "C:\Users\user\Desktop\15Er6ACahF.exe" MD5: 101069A235A97CCC62948B1B41DC81D3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3171382675.000000000228C000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000000.00000002.3016389391.0000000003C6C000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-03-07T16:23:39.226887+010028032702Potentially Bad Traffic192.168.2.549695142.250.185.238443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: 15Er6ACahF.exeVirustotal: Detection: 68%Perma Link
      Source: 15Er6ACahF.exeReversingLabs: Detection: 55%
      Joe Sandbox ML detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Source: 15Er6ACahF.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.5:49695 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.5:49696 version: TLS 1.2
      Source: 15Er6ACahF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_004065C7 FindFirstFileW,FindClose,0_2_004065C7
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405996
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 10_2_00402868 FindFirstFileW,10_2_00402868
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 10_2_004065C7 FindFirstFileW,FindClose,10_2_004065C7
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 10_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,10_2_00405996
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49695 -> 142.250.185.238:443
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: drive.google.com
      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AKDAyItfaYdNmUa7A2HFF2GnfD9BKdHUKfnvp9rtub_f9cg97KoefRJzc2-_g1ChD3qdWNUqvAMC6TMContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 07 Mar 2025 15:23:41 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-fXgLpaajMYd-OPIzXnyN_Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerSet-Cookie: NID=522=Dl7OPI-4u4_tGbSWN2Uip72ezF-sU9gxfDVkIdv9Z5T_p9-tNAQR3gJD0mfStHGcHGfnQ5tzBDlUe4De4VjNhNB6YESQextopw5LbskIkmbgMwTzq5YtZsAzik-pio857XsO0ZFkZLAP4-C6NdNIDC93cqvUz8ErOGj0lMo8AyyuXrwC6t6NINJkOSIWKlmR; expires=Sat, 06-Sep-2025 15:23:41 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: 15Er6ACahF.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: 15Er6ACahF.exe, 0000000A.00000003.3126277202.000000000531F000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000002.3175044862.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3157019419.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000002.3174912924.00000000052E4000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3126217926.000000000531F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
      Source: 15Er6ACahF.exe, 0000000A.00000002.3174912924.00000000052A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
      Source: 15Er6ACahF.exe, 0000000A.00000002.3175245418.0000000006CC0000.00000004.00001000.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000002.3174912924.00000000052E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy
      Source: 15Er6ACahF.exe, 0000000A.00000002.3174912924.00000000052E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy3
      Source: 15Er6ACahF.exe, 0000000A.00000002.3174912924.00000000052E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRyg
      Source: 15Er6ACahF.exe, 0000000A.00000002.3175044862.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3157019419.0000000005318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
      Source: 15Er6ACahF.exe, 0000000A.00000002.3174912924.00000000052A8000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3126277202.000000000531F000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000002.3175044862.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000002.3174912924.0000000005309000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3157019419.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000002.3174912924.00000000052FD000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000002.3174912924.0000000005303000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3126217926.000000000531F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=download
      Source: 15Er6ACahF.exe, 0000000A.00000002.3175044862.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3157019419.0000000005318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=downloadid
      Source: 15Er6ACahF.exe, 0000000A.00000002.3175044862.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3157019419.0000000005318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=downloadn
      Source: 15Er6ACahF.exe, 0000000A.00000002.3175044862.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3157019419.0000000005318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1POFBgkxMovQv_E2NS7Qsz-5k2NK9boRy&export=downloadt
      Source: 15Er6ACahF.exe, 0000000A.00000003.3126277202.000000000531F000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000002.3175044862.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3157019419.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000002.3174912924.00000000052E4000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3126217926.000000000531F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
      Source: 15Er6ACahF.exe, 0000000A.00000003.3126277202.000000000531F000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000002.3175044862.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3157019419.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000002.3174912924.00000000052E4000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3126217926.000000000531F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
      Source: 15Er6ACahF.exe, 0000000A.00000003.3126277202.000000000531F000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000002.3175044862.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3157019419.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000002.3174912924.00000000052E4000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3126217926.000000000531F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: 15Er6ACahF.exe, 0000000A.00000003.3126277202.000000000531F000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000002.3175044862.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3157019419.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000002.3174912924.00000000052E4000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3126217926.000000000531F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
      Source: 15Er6ACahF.exe, 0000000A.00000003.3126277202.000000000531F000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000002.3175044862.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3157019419.0000000005318000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000002.3174912924.00000000052E4000.00000004.00000020.00020000.00000000.sdmp, 15Er6ACahF.exe, 0000000A.00000003.3126217926.000000000531F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
      Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
      Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.5:49695 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.5:49696 version: TLS 1.2
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_0040542B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040542B
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess Stats: CPU usage > 49%
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 10_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,10_2_00403359
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00404C680_2_00404C68
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_0040698E0_2_0040698E
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_6E6A1B5F0_2_6E6A1B5F
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 10_2_00404C6810_2_00404C68
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 10_2_0040698E10_2_0040698E
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: String function: 00402C41 appears 51 times
      Source: 15Er6ACahF.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
      Source: 15Er6ACahF.exeBinary or memory string: OriginalFilenamedovetailwise.exeN vs 15Er6ACahF.exe
      Source: 15Er6ACahF.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal68.troj.evad.winEXE@3/14@2/2
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 10_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,10_2_00403359
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_004046EC GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004046EC
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00402104 CoCreateInstance,0_2_00402104
      Source: C:\Users\user\Desktop\15Er6ACahF.exeFile created: C:\Users\user\spinsterishlyJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeFile created: C:\Users\user\AppData\Local\Temp\nsaAFC0.tmpJump to behavior
      Source: 15Er6ACahF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\15Er6ACahF.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: 15Er6ACahF.exeVirustotal: Detection: 68%
      Source: 15Er6ACahF.exeReversingLabs: Detection: 55%
      Source: C:\Users\user\Desktop\15Er6ACahF.exeFile read: C:\Users\user\Desktop\15Er6ACahF.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\15Er6ACahF.exe "C:\Users\user\Desktop\15Er6ACahF.exe"
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess created: C:\Users\user\Desktop\15Er6ACahF.exe "C:\Users\user\Desktop\15Er6ACahF.exe"
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess created: C:\Users\user\Desktop\15Er6ACahF.exe "C:\Users\user\Desktop\15Er6ACahF.exe"Jump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: timelanges.lnk.0.drLNK file: ..\..\..\Program Files (x86)\Common Files\prgedes.paa
      Source: timelanges.lnk0.0.drLNK file: ..\..\..\Program Files (x86)\Common Files\prgedes.paa
      Source: 15Er6ACahF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 0000000A.00000002.3171382675.000000000228C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.3016389391.0000000003C6C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_6E6A1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6E6A1B5F
      Source: C:\Users\user\Desktop\15Er6ACahF.exeFile created: C:\Users\user\AppData\Local\Temp\nsxB484.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\15Er6ACahF.exeAPI/Special instruction interceptor: Address: 45EC375
      Source: C:\Users\user\Desktop\15Er6ACahF.exeAPI/Special instruction interceptor: Address: 2C0C375
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\Desktop\15Er6ACahF.exeRDTSC instruction interceptor: First address: 45C33D0 second address: 45C33D0 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F4F047C46BAh 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
      Source: C:\Users\user\Desktop\15Er6ACahF.exeRDTSC instruction interceptor: First address: 2BE33D0 second address: 2BE33D0 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F4F04CDC73Ah 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
      Source: C:\Users\user\Desktop\15Er6ACahF.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxB484.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\15Er6ACahF.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_004065C7 FindFirstFileW,FindClose,0_2_004065C7
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405996
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 10_2_00402868 FindFirstFileW,10_2_00402868
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 10_2_004065C7 FindFirstFileW,FindClose,10_2_004065C7
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 10_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,10_2_00405996
      Source: 15Er6ACahF.exe, 0000000A.00000002.3174912924.0000000005309000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: 15Er6ACahF.exe, 0000000A.00000002.3174912924.00000000052A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
      Source: C:\Users\user\Desktop\15Er6ACahF.exeAPI call chain: ExitProcess graph end nodegraph_0-4880
      Source: C:\Users\user\Desktop\15Er6ACahF.exeAPI call chain: ExitProcess graph end nodegraph_0-4883
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_6E6A1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6E6A1B5F
      Source: C:\Users\user\Desktop\15Er6ACahF.exeProcess created: C:\Users\user\Desktop\15Er6ACahF.exe "C:\Users\user\Desktop\15Er6ACahF.exe"Jump to behavior
      Source: C:\Users\user\Desktop\15Er6ACahF.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      DLL Side-Loading      		1
      Access Token Manipulation      		1
      Masquerading      		OS Credential Dumping21
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
      Process Injection      		1
      Access Token Manipulation      		LSASS Memory2
      File and Directory Discovery      		Remote Desktop Protocol1
      Clipboard Data      		3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      DLL Side-Loading      		11
      Process Injection      		Security Account Manager23
      System Information Discovery      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture14
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.