Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order_002376662-579588_Date 24082022.exe

Overview

General Information

Sample Name:Order_002376662-579588_Date 24082022.exe
Analysis ID:694559
MD5:8c2a59bd88b7e2c26045a604ed544288
SHA1:7efb014d57608ff6a2805baf4dd7c150792e6eb4
SHA256:0d4b100e641aad426a916cb326d20f8fe44e32ca38f7a85c505135036c6b44af
Tags:exesigned
Infos:

Detection

GuLoader
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Stores files to the Windows start menu directory
PE / OLE file has an invalid certificate
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000002.00000002.829249266.00000000030C0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: Order_002376662-579588_Date 24082022.exeMetadefender: Detection: 27%Perma Link
    Source: Order_002376662-579588_Date 24082022.exeReversingLabs: Detection: 65%
    Source: Order_002376662-579588_Date 24082022.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Platooned\AnanthropismJump to behavior
    Source: Order_002376662-579588_Date 24082022.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: D:\SourceCode\GC3.GPUPowerSaving\production_V4.2.12.3\Service\ConfigEditorCS\obj\Release\GPUPowerSavingConfigEditor.pdb source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeCode function: 2_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeCode function: 2_2_0040639C FindFirstFileA,FindClose,
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeCode function: 2_2_004026F8 FindFirstFileA,
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: Order_002376662-579588_Date 24082022.exeString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
    Source: Order_002376662-579588_Date 24082022.exeString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
    Source: Order_002376662-579588_Date 24082022.exeString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: http://crl.globalsign.com/root.crl0G
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: Order_002376662-579588_Date 24082022.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
    Source: Order_002376662-579588_Date 24082022.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: http://ocsp.digicert.com0O
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: http://ocsp.globalsign.com/rootr103
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
    Source: Order_002376662-579588_Date 24082022.exeString found in binary or memory: http://repository.certum.pl/ctnca.cer09
    Source: Order_002376662-579588_Date 24082022.exeString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
    Source: Order_002376662-579588_Date 24082022.exeString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
    Source: Order_002376662-579588_Date 24082022.exeString found in binary or memory: http://subca.ocsp-certum.com01
    Source: Order_002376662-579588_Date 24082022.exeString found in binary or memory: http://subca.ocsp-certum.com02
    Source: Order_002376662-579588_Date 24082022.exeString found in binary or memory: http://subca.ocsp-certum.com05
    Source: Order_002376662-579588_Date 24082022.exeString found in binary or memory: http://www.certum.pl/CPS0
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: http://www.digicert.com/CPS0
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: https://www.digicert.com/CPS0
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.drString found in binary or memory: https://www.globalsign.com/repository/0
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeCode function: 2_2_004052FE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

    System Summary

    barindex
    Source: initial sampleStatic PE information: Filename: Order_002376662-579588_Date 24082022.exe
    Source: Order_002376662-579588_Date 24082022.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: GPUPowerSavingConfigEditor.dll.2.drStatic PE information: No import functions for PE file found
    Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGPUPowerSavingConfigEditor.dll< vs Order_002376662-579588_Date 24082022.exe
    Source: Order_002376662-579588_Date 24082022.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: Order_002376662-579588_Date 24082022.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeCode function: 2_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Windows\resources\0409Jump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeCode function: 2_2_00406725
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeCode function: 2_2_00404B3D
    Source: Order_002376662-579588_Date 24082022.exeStatic PE information: invalid certificate
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeProcess Stats: CPU usage > 98%
    Source: Order_002376662-579588_Date 24082022.exeMetadefender: Detection: 27%
    Source: Order_002376662-579588_Date 24082022.exeReversingLabs: Detection: 65%
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile read: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeJump to behavior
    Source: Order_002376662-579588_Date 24082022.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeCode function: 2_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\SigtelinjensJump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Local\Temp\nsn2719.tmpJump to behavior
    Source: classification engineClassification label: mal64.troj.evad.winEXE@1/7@0/0
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeCode function: 2_2_004020CB CoCreateInstance,MultiByteToWideChar,
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeCode function: 2_2_004045CA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Platooned\AnanthropismJump to behavior
    Source: Order_002376662-579588_Date 24082022.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: D:\SourceCode\GC3.GPUPowerSaving\production_V4.2.12.3\Service\ConfigEditorCS\obj\Release\GPUPowerSavingConfigEditor.pdb source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.829004548.000000000277A000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr

    Data Obfuscation

    barindex
    Source: Yara matchFile source: 00000002.00000002.829249266.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeCode function: 2_2_10002D20 push eax; ret
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeCode function: 2_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dllJump to dropped file
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Local\Temp\nsb3C99.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\SigtelinjensJump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\TvtningerneJump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Noneffervescently.CreJump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\KalligraferendesJump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\QuantisersJump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers\Aqua_20.bmpJump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Forhaanet.NabJump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\HolographJump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\TowyJump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\DgnrytmersJump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dllJump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\face-cool.pngJump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\TilegnelserneJump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79Jump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79\iso_3166-1.jsonJump to behavior
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeRDTSC instruction interceptor: First address: 00000000030C2A2F second address: 00000000030C2A2F instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007EFC0CCA9B97h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test dx, dx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dllJump to dropped file
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeCode function: 2_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeCode function: 2_2_0040639C FindFirstFileA,FindClose,
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeCode function: 2_2_004026F8 FindFirstFileA,
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeAPI call chain: ExitProcess graph end node
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeAPI call chain: ExitProcess graph end node
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeCode function: 2_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
    Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exeCode function: 2_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Native API
    1
    Windows Service
    1
    Access Token Manipulation
    11
    Masquerading
    OS Credential Dumping1
    Security Software Discovery
    Remote Services1
    Archive Collected Data
    Exfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
    System Shutdown/Reboot
    Default AccountsScheduled Task/Job1
    Registry Run Keys / Startup Folder
    1
    Windows Service
    1
    Access Token Manipulation
    LSASS Memory2
    File and Directory Discovery
    Remote Desktop Protocol1
    Clipboard Data
    Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)1
    Registry Run Keys / Startup Folder
    1
    Obfuscated Files or Information
    Security Account Manager13
    System Information Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.