Windows Analysis Report
SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

AV Detection

Source: 00000003.00000000.88522705017.0000000001660000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://185.236.228.217/private/Spread.bin"}

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Virustotal: Detection: 7%

Perma Link

Source: http://185.236.228.217/private/Spread.bin

Avira URL Cloud: Label: malware

Compliance

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: mshtml.pdb source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000003.00000001.88525174490.0000000000649000.00000008.00000001.01000000.00000005.sdmp
Source:	Binary string: mshtml.pdbUGP source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000003.00000001.88525174490.0000000000649000.00000008.00000001.01000000.00000005.sdmp

Spreading

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		1_2_00405D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0040699E FindFirstFileW,FindClose,		1_2_0040699E
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0040290B FindFirstFileW,		1_2_0040290B

Networking

Source: Traffic

Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49755 -> 185.236.228.217:80

Source:

DNS query: top.banifabuse01.xyz

Source: Malware configuration extractor

URLs: http://185.236.228.217/private/Spread.bin

Source: Joe Sandbox View

ASN Name: COGENT-174US COGENT-174US

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: global traffic

HTTP traffic detected: GET /private/Spread.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 185.236.228.217Cache-Control: no-cache

Source: global traffic

TCP traffic: 192.168.11.20:49756 -> 154.53.50.251:10100

Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.236.228.217

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	String found in binary or memory: http://aia.mesince.com/ms-tsa.cer02
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	String found in binary or memory: http://aia.mesince.com/ms.cer0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	String found in binary or memory: http://crl.mesince.com/ms-tsa.crl0F
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	String found in binary or memory: http://crl.mesince.com/ms.crl0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000003.00000001.88525174490.0000000000649000.00000008.00000001.01000000.00000005.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	String found in binary or memory: http://ocsp.mesince.com0)
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	String found in binary or memory: http://ocsp.mesince.com0-
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000003.00000001.88525174490.0000000000649000.00000008.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000003.00000001.88525011308.0000000000626000.00000008.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	String found in binary or memory: http://www.mesince.com/policy/0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000003.00000001.88524790252.00000000005F2000.00000008.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000003.00000001.88524790252.00000000005F2000.00000008.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000003.00000001.88525174490.0000000000649000.00000008.00000001.01000000.00000005.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

Source: unknown

DNS traffic detected: queries for: top.banifabuse01.xyz

Source: global traffic	HTTP traffic detected: GET /private/Spread.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 185.236.228.217Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Code function: 1_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00405809

System Summary

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_00403640

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_00406D5F		1_2_00406D5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_70F01BFF		1_2_70F01BFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331E361		1_2_0331E361
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331872A		1_2_0331872A
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03318B2C		1_2_03318B2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03318714		1_2_03318714
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331E71C		1_2_0331E71C
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03316757		1_2_03316757
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03315346		1_2_03315346
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03319348		1_2_03319348
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03313FB8		1_2_03313FB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03312BBA		1_2_03312BBA
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03318F99		1_2_03318F99
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_033153F9		1_2_033153F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_033167F8		1_2_033167F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03313FC0		1_2_03313FC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_033187C6		1_2_033187C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331623F		1_2_0331623F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03315628		1_2_03315628
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03315A14		1_2_03315A14
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03316216		1_2_03316216
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331520C		1_2_0331520C
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03318E4D		1_2_03318E4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_033152B8		1_2_033152B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_033166A6		1_2_033166A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331928E		1_2_0331928E
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_033192F0		1_2_033192F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_033166F6		1_2_033166F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331EEEE		1_2_0331EEEE
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03318D38		1_2_03318D38
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331692A		1_2_0331692A
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03318D1D		1_2_03318D1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331550B		1_2_0331550B
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03315170		1_2_03315170
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331894C		1_2_0331894C
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_033161B1		1_2_033161B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_033159BE		1_2_033159BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_033151AE		1_2_033151AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03318DAE		1_2_03318DAE
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03315D95		1_2_03315D95
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331519A		1_2_0331519A
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331559A		1_2_0331559A
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_033191F8		1_2_033191F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_033189FE		1_2_033189FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03315429		1_2_03315429
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331886B		1_2_0331886B
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331404E		1_2_0331404E
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_033204D3		1_2_033204D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_033168C0		1_2_033168C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_033188C8		1_2_033188C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_033154CA		1_2_033154CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 3_3_000BCC65		3_3_000BCC65
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 3_3_000BCCF1		3_3_000BCCF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 3_3_000B3129		3_3_000B3129
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 3_3_000BCD4D		3_3_000BCD4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 3_3_000B3185		3_3_000B3185
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 3_3_000B31BD		3_3_000B31BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 3_3_000B3235		3_3_000B3235
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 3_3_000B32C1		3_3_000B32C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 3_3_000B331D		3_3_000B331D
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 3_3_000BCB59		3_3_000BCB59
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 3_3_000BCBB5		3_3_000BCBB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 3_3_000BCBED		3_3_000BCBED

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331E361 NtAllocateVirtualMemory,		1_2_0331E361
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331FBB0 NtProtectVirtualMemory,		1_2_0331FBB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_033200D8 NtResumeThread,		1_2_033200D8

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Static PE information: invalid certificate

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Virustotal: Detection: 7%

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Jump to behavior

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe "C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe "C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe "C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe"			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_00403640

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

File created: C:\Users\user\AppData\Roaming\Screenshots

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

File created: C:\Users\user\AppData\Local\Temp\nsg1010.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/845@2/3

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Code function: 1_2_004021AA CoCreateInstance,

1_2_004021AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Code function: 1_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_00404AB5

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-GJHL1W

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: mshtml.pdb source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000003.00000001.88525174490.0000000000649000.00000008.00000001.01000000.00000005.sdmp
Source:	Binary string: mshtml.pdbUGP source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000003.00000001.88525174490.0000000000649000.00000008.00000001.01000000.00000005.sdmp

Data Obfuscation

Source: Yara match	File source: 00000003.00000000.88522705017.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.88646692887.0000000003311000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_70F030C0 push eax; ret		1_2_70F030EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03317BCF pushfd ; iretd		1_2_03317BD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03316DDB pushad ; ret		1_2_03316D95
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03316DDD pushad ; ret		1_2_03316D95
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03316C29 push ss; iretd		1_2_03316D26
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03316C98 push ss; iretd		1_2_03316D26
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331B0F8 push 0000004Ch; retn 0008h		1_2_0331B16F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 3_3_000BAD75 push esp; retf		3_3_000BAED9
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 3_3_000BA7D5 push cs; retf		3_3_000BAC09

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Code function: 1_2_70F01BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_70F01BFF

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

File created: C:\Users\user\AppData\Local\Temp\nsb10DD.tmp\System.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (31).png

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000001.00000002.88646947549.0000000003401000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSHTML.DLL
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000001.00000002.88646947549.0000000003401000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe TID: 7504	Thread sleep time: -32740s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe TID: 932	Thread sleep time: -900000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Thread sleep count: Count: 6548 delay: -5

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Code function: 1_2_0331263A rdtsc

1_2_0331263A

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Window / User API: threadDelayed 6548			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Window / User API: foregroundWindowGot 800			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		1_2_00405D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0040699E FindFirstFileW,FindClose,		1_2_0040699E
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0040290B FindFirstFileW,		1_2_0040290B

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	API call chain: ExitProcess graph end node

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000001.00000002.88647288599.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000001.00000002.88647288599.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000001.00000002.88647288599.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000001.00000002.88647288599.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000001.00000002.88647288599.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000001.00000002.88647288599.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000001.00000002.88647288599.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000001.00000002.88646947549.0000000003401000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000001.00000002.88647288599.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000001.00000002.88647288599.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000001.00000002.88647288599.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000001.00000002.88647288599.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe, 00000001.00000002.88646947549.0000000003401000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\mshtml.dll

Anti Debugging

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Code function: 1_2_70F01BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_70F01BFF

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Code function: 1_2_0331263A rdtsc

1_2_0331263A

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03318714 mov eax, dword ptr fs:[00000030h]		1_2_03318714
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331DF98 mov eax, dword ptr fs:[00000030h]		1_2_0331DF98
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03318E4D mov ebx, dword ptr fs:[00000030h]		1_2_03318E4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03318EEA mov ebx, dword ptr fs:[00000030h]		1_2_03318EEA
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331EEEE mov eax, dword ptr fs:[00000030h]		1_2_0331EEEE
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331D937 mov eax, dword ptr fs:[00000030h]		1_2_0331D937
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03318D38 mov ebx, dword ptr fs:[00000030h]		1_2_03318D38
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03318D1D mov ebx, dword ptr fs:[00000030h]		1_2_03318D1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03318D1D mov eax, dword ptr fs:[00000030h]		1_2_03318D1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_03318DAE mov ebx, dword ptr fs:[00000030h]		1_2_03318DAE
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331519A mov eax, dword ptr fs:[00000030h]		1_2_0331519A
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Code function: 1_2_0331B4D6 mov eax, dword ptr fs:[00000030h]		1_2_0331B4D6

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe "C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe"

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.17738.exe

Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_00403640