Windows Analysis Report
SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.9624

Overview

General Information

Sample Name:	SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.9624 (renamed file extension from 9624 to exe)
Analysis ID:	635390
MD5:	77436b29832ded92b60491ea36018196
SHA1:	0314eca204964e3e189b0c0aed7f449e487dc98e
SHA256:	b19c8495104c354de9aa1b3403bff2d1211a89fe8892e866d2d8dfd7bb0ba5da
Tags:	exe
Infos:

Detection

GuLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Detected potential crypto function

PE file contains more sections than normal

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.778304741.0000000002830000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://donaldtrumpverse.com/kO4_tiMHM116.bin"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Virustotal: Detection: 42%			Perma Link
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	ReversingLabs: Detection: 21%

Uses 32bit PE files

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PARANTHRACENE

Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msvcr100.i386.pdb source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.777977082.000000000040D000.00000004.00000001.01000000.00000003.sdmp, msvcr100.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdbSHA2562 source: CDMDataEventHandler.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdb source: CDMDataEventHandler.dll.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://donaldtrumpverse.com/kO4_tiMHM116.bin

Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://pie-us1.api.ws-hp.com/clienttelemetry
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/gun/com.hp.cdm.platform.software.domain.eventing.reso
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/id/sw/originatorDetail.schema.json
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://schemaregistry.analysis.ext.hp.com/cdm/id/sw/sysInfoBase.schema.json
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://stage-us1.api.ws-hp.com/clienttelemetry
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://us1.api.ws-hp.com/clienttelemetry
Source: CDMDataEventHandler.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056DE

Uses 32bit PE files

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.777977082.000000000040D000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

PE file contains strange resources

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040352D

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_732F1BFF	0_2_732F1BFF

PE file contains more sections than normal

Source: libLerc.dll.0.dr	Static PE information: Number of sections : 11 > 10
Source: libenchant-2.dll.0.dr	Static PE information: Number of sections : 12 > 10
Source: gspawn-win64-helper.exe.0.dr	Static PE information: Number of sections : 11 > 10

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Virustotal: Detection: 42%
Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

0_2_0040352D

Source: CDMDataEventHandler.dll.0.dr, Hp.CDMDataEventHandler/Sender/TelemetrySender.cs

Base64 encoded string: 'uWg5oksEUHoewK5WcwMNmfkglf2HF7AWQAGHYz0VfFMeg1YF2aEU/2OPoeETAl78'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

File created: C:\Users\user\AppData\Local\Temp\nsf2D9B.tmp

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/11@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PARANTHRACENE

Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msvcr100.i386.pdb source: SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe, 00000000.00000002.777977082.000000000040D000.00000004.00000001.01000000.00000003.sdmp, msvcr100.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdbSHA2562 source: CDMDataEventHandler.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\CDMDataEventHandlerLibrary\CDMDataEventHandler\obj\Release\net46\CDMDataEventHandler.pdb source: CDMDataEventHandler.dll.0.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.778304741.0000000002830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Code function: 0_2_732F30C0 push eax; ret

0_2_732F30EE

PE file contains sections with non-standard names

Source: gspawn-win64-helper.exe.0.dr	Static PE information: section name: .xdata
Source: libLerc.dll.0.dr	Static PE information: section name: .xdata
Source: libenchant-2.dll.0.dr	Static PE information: section name: .xdata

Binary contains a suspicious time stamp

Source: CDMDataEventHandler.dll.0.dr

Static PE information: 0x9C213F02 [Thu Jan 2 09:55:14 2053 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Code function: 0_2_732F1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_732F1BFF

Source: initial sample

Static PE information: section name: .text entropy: 6.90904492268

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\gspawn-win64-helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\nsw2F33.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\libenchant-2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\CDMDataEventHandler.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	File created: C:\Users\user\AppData\Local\Temp\libLerc.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

RDTSC instruction interceptor: First address: 00000000028326C8 second address: 00000000028326C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBF7CBD79B2h 0x00000004 cmp dl, bl 0x00000006 cmp ebx, ecx 0x00000008 jc 00007FBF7CBD7926h 0x0000000a inc ebp 0x0000000b inc ebx 0x0000000c rdtsc

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gspawn-win64-helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libenchant-2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CDMDataEventHandler.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libLerc.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe	API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

Code function: 0_2_732F1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_732F1BFF

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.exe

0_2_0040352D

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://donaldtrumpverse.com/kO4_tiMHM116.bin	true	Avira URL Cloud: safe	unknown

ID:	635390
Product:	CloudBasic
Start time:	20:56:02
Start date:	27.05.2022
Sample:	SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.9624
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	77436b29832ded92b60491ea36018196
SHA1:	0314eca204964e3e189b0c0aed7f449e487dc98e
SHA256:	b19c8495104c354de9aa1b3403bff2d1211a89fe8892e866d2d8dfd7bb0ba5da
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Auriculariae5.Reo2	data	B884606DE1CB711FA0FABBA8384FA60C	2ECD66DE4565AF1C7F8A7016BEAB49B7A7F1CDEA	246459B881CCE72B63AD541D0E8B29A3CB4A14ED193D08BDB68159A32F786539
C:\Users\user\AppData\Local\Temp\Bluetooth Suite help_ITA.chm	MS Windows HtmlHelp Data	27729CF331D3767DF077F52B262D88F3	EF4B6F74A0608B5A4DC6E3CA465A96137C1CAD74	CA601E57DD2C1E6E92145A8A19083599261B626A4D26B04D8C3FD5BDDDB2CB0D
C:\Users\user\AppData\Local\Temp\CDMDataEventHandler.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	25F3ECFD195030F6B1BAD60E5EF97163	749B7E267CDBBC83783DFA4C7BF45134556C13D7	FCD740746D2B3E01945E6A099AB4CDD06ECE05818E25D08C5DDAFBD333B0DC84
C:\Users\user\AppData\Local\Temp\Forynget2.Mir	ASCII text, with very long lines, with no line terminators	B62B20F6B03B0C3A561EA7B0AEB0E812	72B3F32CE0DB4909D7CF0C4385718188C61CA2C6	12C49D1622818D8454A1E4BB2EFBF21459CCE0C284A31D53E775B0B24EC849CF
C:\Users\user\AppData\Local\Temp\gspawn-win64-helper.exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	8154B723020AEE70829FFC138C9D1C4C	6F7AF3827B37845F071625458DF1DB8BA9056FD6	902F9D2A239CCAEBA677DB5838654FB6CE7CF3D21243B8EF122E9D970714B0D3
C:\Users\user\AppData\Local\Temp\libLerc.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	58BFEB91921D4882F7EDABAB9C0C1C17	596DB0512A25089EF7CDE48CA3393E4F6878FF90	5C9DB6D64BAF0250735368825CEC3032EC39999F266125D132157ECC0403EE12
C:\Users\user\AppData\Local\Temp\libenchant-2.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	6A9928C42EB4375CCEF3A025F3535795	395703F4970B42F55C2BCB2B8CF3F0D12E192CEB	CAA457EF4BD84476790D215FFFF048DEB162CABC14DB3FF679795CCEA8972411
C:\Users\user\AppData\Local\Temp\msvcr100.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0E37FBFA79D349D672456923EC5FBBE3	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
C:\Users\user\AppData\Local\Temp\nsw2F33.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\system-shutdown.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	84D033B14C06568FA57352CCF18D8D35	1D75B42F61842E8B0FA8D811DAC72B313CDDCA74	3989B93626DC3ED6EF03430AD0B1FF5C6E358DAC76E34ED7C8086579B68E660F
C:\Users\user\AppData\Local\Temp\zoom-out-symbolic.svg	SVG Scalable Vector Graphics image	C05C42CB3D95BF3BC7F49CCD8DCCA510	20442E344E95508586B1B2A7B4C6272C3F5C86F8	695554CE5F23A275D3C25C27410D0CFBF8A83156807DAA3A601635E4E5D8AED0

Windows Analysis Report
SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.9624

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.9624

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Gen.Variant.Nemesis.7222.26141.9624