Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
employee record_pdf.bat.exe

Overview

General Information

Sample name:employee record_pdf.bat.exe
Analysis ID:1632165
MD5:d00a5d4d5c3e9d9b767608fcc6f7aded
SHA1:3cb85f4f53c98a37636c3d0ece582d4f5abb9be0
SHA256:f23bf9e69da8ae73fc237cd65ee954f30ac1f9f009915a50252d3085b47e71dd
Tags:batexeRemcosRATuser-abuse_ch
Infos:

Detection

GuLoader
Score:88
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • employee record_pdf.bat.exe (PID: 6748 cmdline: "C:\Users\user\Desktop\employee record_pdf.bat.exe" MD5: D00A5D4D5C3E9D9B767608FCC6F7ADED)
    • employee record_pdf.bat.exe (PID: 2412 cmdline: "C:\Users\user\Desktop\employee record_pdf.bat.exe" MD5: D00A5D4D5C3E9D9B767608FCC6F7ADED)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2776663504.0000000003F98000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000000.00000002.1414307552.00000000097C8000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-03-07T20:20:28.458360+010028032702Potentially Bad Traffic192.168.2.849690188.114.97.3443TCP
      2025-03-07T20:20:41.450918+010028032702Potentially Bad Traffic192.168.2.849691188.114.97.3443TCP
      2025-03-07T20:20:54.194662+010028032702Potentially Bad Traffic192.168.2.849692188.114.97.3443TCP
      2025-03-07T20:21:07.370421+010028032702Potentially Bad Traffic192.168.2.849693188.114.97.3443TCP
      2025-03-07T20:21:19.594372+010028032702Potentially Bad Traffic192.168.2.849694188.114.97.3443TCP
      2025-03-07T20:21:32.152342+010028032702Potentially Bad Traffic192.168.2.849695188.114.97.3443TCP
      2025-03-07T20:21:45.052896+010028032702Potentially Bad Traffic192.168.2.849696188.114.97.3443TCP
      2025-03-07T20:21:57.964991+010028032702Potentially Bad Traffic192.168.2.849697188.114.97.3443TCP
      2025-03-07T20:22:10.611813+010028032702Potentially Bad Traffic192.168.2.849698188.114.97.3443TCP
      2025-03-07T20:22:23.180046+010028032702Potentially Bad Traffic192.168.2.849699188.114.97.3443TCP
      2025-03-07T20:22:35.539956+010028032702Potentially Bad Traffic192.168.2.849700188.114.97.3443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: employee record_pdf.bat.exeAvira: detected
      Antivirus detection for URL or domain
      Source: https://chneiu.icu/qZzaQfFD/epGfV132.binBAvira URL Cloud: Label: malware
      Source: https://chneiu.icu/qZzaQfFD/epGfV132.binK6Avira URL Cloud: Label: malware
      Source: https://chneiu.icu/Avira URL Cloud: Label: malware
      Source: https://chneiu.icu/qZzaQfFD/epGfV132.binFAvira URL Cloud: Label: malware
      Source: https://chneiu.icu/82&Avira URL Cloud: Label: malware
      Source: https://chneiu.icu/neiu.icu/qZzaQfFD/epGfV132.binRAvira URL Cloud: Label: malware
      Source: https://chneiu.icu/qZzaQfFD/epGfV132.bino6Avira URL Cloud: Label: malware
      Source: https://chneiu.icu/qZzaQfFD/epGfV132.binnK6Avira URL Cloud: Label: malware
      Source: https://chneiu.icu/qZzaQfFD/epGfV132.binR6Avira URL Cloud: Label: malware
      Source: https://chneiu.icu/qZzaQfFD/epGfV132.binL6Avira URL Cloud: Label: malware
      Source: https://chneiu.icu/qZzaQfFD/epGfV132.binnAvira URL Cloud: Label: malware
      Source: https://chneiu.icu/qZzaQfFD/epGfV132.binnR6Avira URL Cloud: Label: malware
      Source: https://chneiu.icu/qZzaQfFD/epGfV132.binno6Avira URL Cloud: Label: malware
      Source: https://chneiu.icu/qZzaQfFD/epGfV132.binAvira URL Cloud: Label: malware
      Source: https://chneiu.icu/neiu.icu/qZzaQfFD/epGfV132.binAvira URL Cloud: Label: malware
      Source: https://chneiu.icu/qZzaQfFD/epGfV132.bin3Avira URL Cloud: Label: malware
      Source: https://chneiu.icu/5Avira URL Cloud: Label: malware
      Source: https://chneiu.icu/qZzaQfFD/epGfV132.binsAvira URL Cloud: Label: malware
      Multi AV Scanner detection for submitted file
      Source: employee record_pdf.bat.exeVirustotal: Detection: 62%Perma Link
      Source: employee record_pdf.bat.exeReversingLabs: Detection: 52%
      Joe Sandbox ML detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Source: employee record_pdf.bat.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49690 version: TLS 1.2
      Source: employee record_pdf.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 0_2_00405E7C FindFirstFileA,FindClose,0_2_00405E7C
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 0_2_00405438 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,0_2_00405438
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 8_2_00402645 FindFirstFileA,8_2_00402645
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 8_2_00405E7C FindFirstFileA,FindClose,8_2_00405E7C
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 8_2_00405438 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,8_2_00405438
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior
      Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
      Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49700 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49691 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49696 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49697 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49699 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49695 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49692 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49694 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49693 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49690 -> 188.114.97.3:443
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49698 -> 188.114.97.3:443
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /qZzaQfFD/epGfV132.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: chneiu.icuCache-Control: no-cache
      Source: global trafficDNS traffic detected: DNS query: chneiu.icu
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:20:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeServer: cloudflareCF-RAY: 91cc73488ec8cef1-SJC
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:20:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rhkva6vRwfCYLJFhG7fHAaT6GhfaCgvzO5JDjcPS1cTz7se3VQamr1GgliNVbgc8afK5DqmNjSAaPN%2Fi%2BGnf3wH2a6mrBREFveaRSVlH7qOTqy9DA0AVDsdSAL7E"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc7399cb3d22ea-SJC
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:20:53 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=snYTLnrbf%2Bh1DEaZkcJ%2F0Q%2BEqDuZUYipV4LxmcZvg9im%2BWBTFwhA3%2F5wYKY4SIzasQUNyOBAUj%2BHPcR91qAhIlCRdxZ2yv%2BHNWj0gdCOD9cORFIa4TyGIBGEgTXf"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc73e9291ace60-SJC
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:21:07 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QPA18j5hgsgqwEyCxms%2FIBcWSPJHrMXJPtCZVPsVcXQ6ZEPLg7QoEH2w%2FNqF8efn70cC8MYJeJ7NwR9af%2FVlz8wbqMPGjwrxjhLPn6aY1cFcBlpxNdFiybNINo9p"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc743bae57ed3c-SJC
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:21:19 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AsoM0e55Me%2FPxoD5NhbXMKjK358kD92a5fzekIjJwQDia9OlzkX43kkGmPEtrQQFy1v91%2Fw%2BGMSsQF2Gg7r7gM8D7fwHHu9oKx5DYMAD3jQh0F9Y8Eg%2F7a%2F2H5b%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc74883a74cf9b-SJC
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:21:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeServer: cloudflareCF-RAY: 91cc74d698d8fb28-SJC
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:21:44 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZvunwptWTXSP2yvJDLagQ8cSgOJW%2FkC%2FbYmVBi7h2xPeqfn%2FaX87X8Y9df4Ko2aM8O2nf97fZTsvI4WvXfTSHZcN7C2guktCOG0lAgXfvItZQVzSDM4zejIiPiQv"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc75273cdc26b0-SJC
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:21:57 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iQ3bl8owIQ6CBJc6VeVB402TF5RPLcjN2%2FsbJYpctfRzis5w2qh5V1XsR3vBdakIWegh2nuuWmQ5luObXJR0ZaLaW4GI8XcdwsUL8WLvUFprivT745TMHUfauocV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc7577dd3a176d-SJC
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:22:10 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z21RIITY9SQSdrFtxot%2F28OX9ls7666HPP62l3tzgxAecScESpldN0RH1HHh0ci6zSZ%2Fnt1shMG%2B9KhaSGTQ2rcgMTqC8BXnLWPcQaqA8MKIAX8TcTMXKVWdl6FS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc75c6e8b2ed3d-SJC
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:22:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mSKLJ27X0o%2FgOtmqU5A22EAGjYBEThNh1FsuAKkN9l5Ypa9hQRPL1zq7eG9nqm%2F0LC7fMLpB%2B0mzG3F45anL0uV3hoyMPExJ7GUNQvEtTVuT4WexjLWZFXzQrl1g"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc76154ee79e68-SJC
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 19:22:35 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OvX7MFqgzHoAFXXqHi3BCdzD4%2BwPpBq1pgLgxCiS%2FG4M7MUgupR%2FerC3cRHx3l%2Bxkhhny16Cw7p%2FQUUJ8FtYso5%2BTlkVWlJOi7d4El%2FZ1J2pD36tiwfOK%2FZxD5Fu"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cc7662bd60faba-SJC
      Source: employee record_pdf.bat.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
      Source: employee record_pdf.bat.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: employee record_pdf.bat.exe, 00000008.00000003.2100675939.0000000004A76000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1593756957.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2610706283.0000000004A6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/
      Source: employee record_pdf.bat.exe, 00000008.00000002.2780876766.0000000004A43000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2734467600.0000000004A43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/5
      Source: employee record_pdf.bat.exe, 00000008.00000003.1852744850.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1721057703.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2780958190.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2485070890.0000000004A76000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1720947412.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2734376728.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1852661877.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100787326.0000000004A76000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100675939.0000000004A76000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2610706283.0000000004A6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/82&
      Source: employee record_pdf.bat.exe, 00000008.00000002.2780876766.0000000004A43000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2734467600.0000000004A43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/neiu.icu/qZzaQfFD/epGfV132.bin
      Source: employee record_pdf.bat.exe, 00000008.00000002.2780876766.0000000004A43000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2734467600.0000000004A43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/neiu.icu/qZzaQfFD/epGfV132.binR
      Source: employee record_pdf.bat.exe, 00000008.00000003.2610706283.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2734467600.0000000004A58000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100822549.0000000004A57000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1852804129.0000000004A56000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2734467600.0000000004A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.bin
      Source: employee record_pdf.bat.exe, 00000008.00000003.1593682750.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1593756957.0000000004A77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.bin3
      Source: employee record_pdf.bat.exe, 00000008.00000002.2780876766.0000000004A2F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2734467600.0000000004A2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binB
      Source: employee record_pdf.bat.exe, 00000008.00000003.1852744850.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1852661877.0000000004A77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binF
      Source: employee record_pdf.bat.exe, 00000008.00000003.1721057703.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1593682750.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1720947412.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1593756957.0000000004A77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binK6
      Source: employee record_pdf.bat.exe, 00000008.00000003.2358670756.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2229682096.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2358763714.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2780958190.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2485070890.0000000004A76000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1975199505.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1975132131.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2734376728.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100787326.0000000004A76000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2229776945.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100675939.0000000004A76000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2610706283.0000000004A6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binL6
      Source: employee record_pdf.bat.exe, 00000008.00000003.1975199505.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1975132131.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100787326.0000000004A76000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100675939.0000000004A76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binR6
      Source: employee record_pdf.bat.exe, 00000008.00000003.2358670756.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1852744850.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2229682096.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2358763714.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1721057703.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2780958190.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2485070890.0000000004A76000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1975199505.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1975132131.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1720947412.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2734376728.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1852661877.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100787326.0000000004A76000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2229776945.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100675939.0000000004A76000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2610706283.0000000004A6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binn
      Source: employee record_pdf.bat.exe, 00000008.00000003.2229682096.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2229776945.0000000004A75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binnK6
      Source: employee record_pdf.bat.exe, 00000008.00000003.2358670756.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2358763714.0000000004A75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binnR6
      Source: employee record_pdf.bat.exe, 00000008.00000002.2780958190.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2734376728.0000000004A6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.binno6
      Source: employee record_pdf.bat.exe, 00000008.00000003.2358670756.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1852744850.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2229682096.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2358763714.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1721057703.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1593682750.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2485070890.0000000004A76000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1720947412.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1852661877.0000000004A77000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2229776945.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1593756957.0000000004A77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.bino6
      Source: employee record_pdf.bat.exe, 00000008.00000002.2780958190.0000000004A6F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2734376728.0000000004A6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chneiu.icu/qZzaQfFD/epGfV132.bins
      Source: employee record_pdf.bat.exe, 00000008.00000003.2734467600.0000000004A5E000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2229812517.0000000004A5E000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1975233074.0000000004A5E000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1852661877.0000000004A68000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2358670756.0000000004A68000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2781213520.0000000006630000.00000004.00000800.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2780876766.0000000004A5E000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100822549.0000000004A5E000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2610706283.0000000004A68000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1720947412.0000000004A68000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2485070890.0000000004A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
      Source: employee record_pdf.bat.exe, 00000008.00000003.1852804129.0000000004A5E000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2734467600.0000000004A5E000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1975233074.0000000004A5E000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2781213520.0000000006630000.00000004.00000800.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2780876766.0000000004A5E000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100822549.0000000004A5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
      Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
      Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
      Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
      Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
      Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
      Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
      Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49690 version: TLS 1.2
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 0_2_00404FA1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,0_2_00404FA1

      System Summary

      barindex
      Initial sample is a PE file and has a suspicious name
      Source: initial sampleStatic PE information: Filename: employee record_pdf.bat.exe
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeProcess Stats: CPU usage > 49%
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 0_2_004030B6 EntryPoint,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030B6
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 8_2_004030B6 EntryPoint,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,8_2_004030B6
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 0_2_004061520_2_00406152
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 0_2_004047E00_2_004047E0
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 8_2_004061528_2_00406152
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 8_2_004047E08_2_004047E0
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: String function: 004029FD appears 47 times
      Source: employee record_pdf.bat.exe, 00000000.00000000.913538455.0000000000447000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesemicollegiate.exeH vs employee record_pdf.bat.exe
      Source: employee record_pdf.bat.exe, 00000008.00000002.2776566664.0000000000447000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesemicollegiate.exeH vs employee record_pdf.bat.exe
      Source: employee record_pdf.bat.exeBinary or memory string: OriginalFilenamesemicollegiate.exeH vs employee record_pdf.bat.exe
      Source: employee record_pdf.bat.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal88.troj.evad.winEXE@3/17@1/1
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 0_2_004042B1 GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,LdrInitializeThunk,SetDlgItemTextA,0_2_004042B1
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 0_2_00402036 LdrInitializeThunk,LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,0_2_00402036
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile created: C:\Users\user\AppData\Local\SongyJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile created: C:\Users\user\AppData\Local\Temp\nst8895.tmpJump to behavior
      Source: employee record_pdf.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: employee record_pdf.bat.exeVirustotal: Detection: 62%
      Source: employee record_pdf.bat.exeReversingLabs: Detection: 52%
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile read: C:\Users\user\Desktop\employee record_pdf.bat.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\employee record_pdf.bat.exe "C:\Users\user\Desktop\employee record_pdf.bat.exe"
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeProcess created: C:\Users\user\Desktop\employee record_pdf.bat.exe "C:\Users\user\Desktop\employee record_pdf.bat.exe"
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeProcess created: C:\Users\user\Desktop\employee record_pdf.bat.exe "C:\Users\user\Desktop\employee record_pdf.bat.exe"Jump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile written: C:\Users\user\AppData\Local\Songy\filmdebut\Preciouses.iniJump to behavior
      Source: employee record_pdf.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000008.00000002.2776663504.0000000003F98000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1414307552.00000000097C8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 0_2_00405EA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405EA3
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 0_2_10002D30 push eax; ret 0_2_10002D5E
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile created: C:\Users\user\AppData\Local\Temp\nsy942F.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeAPI/Special instruction interceptor: Address: 9A35E09
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeAPI/Special instruction interceptor: Address: 4205E09
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeRDTSC instruction interceptor: First address: 99FBD66 second address: 99FBD66 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F3A88D75CC8h 0x00000006 test al, dl 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeRDTSC instruction interceptor: First address: 41CBD66 second address: 41CBD66 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F3A88EC6218h 0x00000006 test al, dl 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsy942F.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exe TID: 5620Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 0_2_00405E7C FindFirstFileA,FindClose,0_2_00405E7C
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 0_2_00405438 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,0_2_00405438
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 8_2_00402645 FindFirstFileA,8_2_00402645
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 8_2_00405E7C FindFirstFileA,FindClose,8_2_00405E7C
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 8_2_00405438 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,8_2_00405438
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior
      Source: employee record_pdf.bat.exe, 00000008.00000002.2780876766.0000000004A2F000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2734467600.0000000004A2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW 5
      Source: employee record_pdf.bat.exe, 00000008.00000003.1852804129.0000000004A5E000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2734467600.0000000004A5E000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2229812517.0000000004A5E000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.1975233074.0000000004A5E000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000002.2780876766.0000000004A5E000.00000004.00000020.00020000.00000000.sdmp, employee record_pdf.bat.exe, 00000008.00000003.2100822549.0000000004A5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeAPI call chain: ExitProcess graph end nodegraph_0-4691
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeAPI call chain: ExitProcess graph end nodegraph_0-4685
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 0_2_00402E62 LdrInitializeThunk,GetTickCount,GetTickCount,LdrInitializeThunk,MulDiv,wsprintfA,WriteFile,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,WriteFile,0_2_00402E62
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 0_2_00405EA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405EA3
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeProcess created: C:\Users\user\Desktop\employee record_pdf.bat.exe "C:\Users\user\Desktop\employee record_pdf.bat.exe"Jump to behavior
      Source: C:\Users\user\Desktop\employee record_pdf.bat.exeCode function: 0_2_00405B9A GetVersion,LdrInitializeThunk,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405B9A

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      DLL Side-Loading      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping21
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		1
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol1
      Clipboard Data      		3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
      Process Injection      		Security Account Manager4
      File and Directory Discovery      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS23
      System Information Discovery      		Distributed Component Object ModelInput Capture14
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
      Obfuscated Files or Information      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.