Windows Analysis Report
72EED30398363-0983BNDJ0398763536.exe

Overview

General Information

Sample Name: 72EED30398363-0983BNDJ0398763536.exe
Analysis ID: 632155
MD5: 511ad0297cd3e268e8d0c53c1207dc95
SHA1: aa466a3c5fb1a4c3ae77835fc3d592e8f7a0679b
SHA256: c527fc06df0bca1fe6ef47ff82e1a858af8b50877d97446c7898e5d1a80146a3
Infos:

Detection

GuLoader
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
PE file contains more sections than normal
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 72EED30398363-0983BNDJ0398763536.exe Virustotal: Detection: 10% Perma Link
Uses 32bit PE files
Source: 72EED30398363-0983BNDJ0398763536.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FLOKDYRS Jump to behavior
Source: 72EED30398363-0983BNDJ0398763536.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: MapiProxy.pdb source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, MapiProxy.dll.0.dr
Source: Binary string: MapiProxy.pdb@ source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, MapiProxy.dll.0.dr
Source: Binary string: f:\bluetooth8.0.1.57\sw\src\WIN8_Mainline\ExtArch\UI\Win7UI\Prism\ObjectBuilder\obj\x64\Release\Microsoft.Practices.ObjectBuilder2.pdb source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, Microsoft.Practices.ObjectBuilder2.dll.0.dr
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.762548137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MapiProxy.dll.0.dr, lang-1071.dll.0.dr, fzshellext_64.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.762548137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MapiProxy.dll.0.dr, lang-1071.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.762548137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MapiProxy.dll.0.dr, lang-1071.dll.0.dr, fzshellext_64.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.762548137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MapiProxy.dll.0.dr, lang-1071.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.762548137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MapiProxy.dll.0.dr, lang-1071.dll.0.dr, fzshellext_64.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.762548137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MapiProxy.dll.0.dr, lang-1071.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.762548137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MapiProxy.dll.0.dr, lang-1071.dll.0.dr, fzshellext_64.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.762548137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MapiProxy.dll.0.dr, lang-1071.dll.0.dr, fzshellext_64.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, MapiProxy.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.762548137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1071.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.762548137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MapiProxy.dll.0.dr, lang-1071.dll.0.dr, fzshellext_64.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 72EED30398363-0983BNDJ0398763536.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.762548137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MapiProxy.dll.0.dr, lang-1071.dll.0.dr, fzshellext_64.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.762548137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MapiProxy.dll.0.dr, lang-1071.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.762548137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MapiProxy.dll.0.dr, lang-1071.dll.0.dr, fzshellext_64.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.762548137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1071.dll.0.dr String found in binary or memory: http://www.avast.com0/
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, MapiProxy.dll.0.dr, fzshellext_64.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, MapiProxy.dll.0.dr String found in binary or memory: https://mozilla.org0
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, fzshellext_64.dll.0.dr String found in binary or memory: https://sectigo.com/CPS0C
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.762548137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MapiProxy.dll.0.dr, lang-1071.dll.0.dr, fzshellext_64.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405809
Uses 32bit PE files
Source: 72EED30398363-0983BNDJ0398763536.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
PE file does not import any functions
Source: Microsoft.Practices.ObjectBuilder2.dll.0.dr Static PE information: No import functions for PE file found
Source: lang-1071.dll.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMapiProxy.dll8 vs 72EED30398363-0983BNDJ0398763536.exe
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Practices.ObjectBuilder2.dllT vs 72EED30398363-0983BNDJ0398763536.exe
Source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefzshellext.dllb! vs 72EED30398363-0983BNDJ0398763536.exe
PE file contains strange resources
Source: 72EED30398363-0983BNDJ0398763536.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 0_2_00406D5F 0_2_00406D5F
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 0_2_732A1BFF 0_2_732A1BFF
PE file contains more sections than normal
Source: fzshellext_64.dll.0.dr Static PE information: Number of sections : 12 > 10
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Process Stats: CPU usage > 98%
Source: 72EED30398363-0983BNDJ0398763536.exe Virustotal: Detection: 10%
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File read: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Jump to behavior
Source: 72EED30398363-0983BNDJ0398763536.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File created: C:\Users\user\AppData\Local\Temp\nsa450C.tmp Jump to behavior
Source: classification engine Classification label: mal60.troj.evad.winEXE@1/14@0/0
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404AB5
Source: 72EED30398363-0983BNDJ0398763536.exe Static file information: File size 1141532 > 1048576
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FLOKDYRS Jump to behavior
Source: 72EED30398363-0983BNDJ0398763536.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: MapiProxy.pdb source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, MapiProxy.dll.0.dr
Source: Binary string: MapiProxy.pdb@ source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, MapiProxy.dll.0.dr
Source: Binary string: f:\bluetooth8.0.1.57\sw\src\WIN8_Mainline\ExtArch\UI\Win7UI\Prism\ObjectBuilder\obj\x64\Release\Microsoft.Practices.ObjectBuilder2.pdb source: 72EED30398363-0983BNDJ0398763536.exe, 00000000.00000002.765958699.000000000278D000.00000004.00000800.00020000.00000000.sdmp, Microsoft.Practices.ObjectBuilder2.dll.0.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.769168280.0000000003060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 0_2_732A30C0 push eax; ret 0_2_732A30EE
PE file contains sections with non-standard names
Source: MapiProxy.dll.0.dr Static PE information: section name: .00cfg
Source: MapiProxy.dll.0.dr Static PE information: section name: .orpc
Source: fzshellext_64.dll.0.dr Static PE information: section name: .xdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 0_2_732A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_732A1BFF
Drops PE files
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File created: C:\Users\user\AppData\Local\Temp\lang-1071.dll Jump to dropped file
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File created: C:\Users\user\AppData\Local\Temp\Microsoft.Practices.ObjectBuilder2.dll Jump to dropped file
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File created: C:\Users\user\AppData\Local\Temp\nsw5376.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File created: C:\Users\user\AppData\Local\Temp\fzshellext_64.dll Jump to dropped file
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe File created: C:\Users\user\AppData\Local\Temp\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe RDTSC instruction interceptor: First address: 00000000030605BA second address: 00000000030605BA instructions: 0x00000000 rdtsc 0x00000002 cmp edx, eax 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F6550733354h 0x00000008 inc ebp 0x00000009 test bh, bh 0x0000000b inc ebx 0x0000000c test cl, dl 0x0000000e rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lang-1071.dll Jump to dropped file
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Microsoft.Practices.ObjectBuilder2.dll Jump to dropped file
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fzshellext_64.dll Jump to dropped file
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 0_2_732A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_732A1BFF
Source: C:\Users\user\Desktop\72EED30398363-0983BNDJ0398763536.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 632155 Sample: 72EED30398363-0983BNDJ03987... Startdate: 23/05/2022 Architecture: WINDOWS Score: 60 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected GuLoader 2->19 5 72EED30398363-0983BNDJ0398763536.exe 4 34 2->5         started        process3 file4 9 C:\Users\user\AppData\Local\...\System.dll, PE32 5->9 dropped 11 C:\Users\user\AppData\Local\...\lang-1071.dll, PE32 5->11 dropped 13 C:\Users\user\AppData\...\fzshellext_64.dll, PE32+ 5->13 dropped 15 2 other files (none is malicious) 5->15 dropped 21 Tries to detect virtualization through RDTSC time measurements 5->21 signatures5
No contacted IP infos