Windows Analysis Report
PO No. 3200005919.exe

Overview

General Information

Sample Name:	PO No. 3200005919.exe
Analysis ID:	755357
MD5:	9453cdcf8221341d06bac47b8ab3aa19
SHA1:	c35a23cdc61eb42594e1a39a23ccae06399263c0
SHA256:	7490acc48d1659234d61c1716c0d549880a98375f502502b60dcc71b49f7f14f
Tags:	exe
Infos:

Detection

GuLoader

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

Uses 32bit PE files

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: PO No. 3200005919.exe	Virustotal: Detection: 47%			Perma Link
Source: PO No. 3200005919.exe	ReversingLabs: Detection: 61%

Uses 32bit PE files

Source: PO No. 3200005919.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: PO No. 3200005919.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Kelly1076\__HITDisplay__\00_Code\ProArt Code_Git\ProArt\x64\Release\WMIMethod.pdb source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, WMIMethod.dll.0.dr
Source:	Binary string: qipcap.pdb source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr
Source:	Binary string: qipcap.pdb0 source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr

Source: C:\Users\user\Desktop\PO No. 3200005919.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862
Source: C:\Users\user\Desktop\PO No. 3200005919.exe	Code function: 0_2_004066F3 FindFirstFileW,FindClose,	0_2_004066F3
Source: C:\Users\user\Desktop\PO No. 3200005919.exe	Code function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405ABE

Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr, WMIMethod.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, WMIMethod.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, WMIMethod.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr, WMIMethod.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr, WMIMethod.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, WMIMethod.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, WMIMethod.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr, WMIMethod.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr, WMIMethod.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, WMIMethod.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, WMIMethod.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr, WMIMethod.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: PO No. 3200005919.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr, WMIMethod.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, WMIMethod.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, WMIMethod.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr, WMIMethod.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr, WMIMethod.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, WMIMethod.dll.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr	String found in binary or memory: https://mozilla.org0
Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr, WMIMethod.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\PO No. 3200005919.exe

Code function: 0_2_00405553 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405553

Uses 32bit PE files

Source: PO No. 3200005919.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Sample file is different than original file name gathered from version info

Source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameqipcap.dll8 vs PO No. 3200005919.exe
Source: PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWMIMethod.dllL vs PO No. 3200005919.exe
Source: PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqipcap.dll8 vs PO No. 3200005919.exe

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\PO No. 3200005919.exe

Code function: 0_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403489

Creates files inside the system directory

Source: C:\Users\user\Desktop\PO No. 3200005919.exe

File created: C:\Windows\leprousness.lnk

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\PO No. 3200005919.exe	Code function: 0_2_00404D90		0_2_00404D90
Source: C:\Users\user\Desktop\PO No. 3200005919.exe	Code function: 0_2_00406ABA		0_2_00406ABA

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\PO No. 3200005919.exe

Process Stats: CPU usage > 98%

Source: PO No. 3200005919.exe	Virustotal: Detection: 47%
Source: PO No. 3200005919.exe	ReversingLabs: Detection: 61%

Source: C:\Users\user\Desktop\PO No. 3200005919.exe

File read: C:\Users\user\Desktop\PO No. 3200005919.exe

Jump to behavior

Source: PO No. 3200005919.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO No. 3200005919.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\PO No. 3200005919.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO No. 3200005919.exe

0_2_00403489

Source: C:\Users\user\Desktop\PO No. 3200005919.exe

File created: C:\Users\user\Overfurnished

Jump to behavior

Source: C:\Users\user\Desktop\PO No. 3200005919.exe

File created: C:\Users\user\AppData\Local\Temp\nsyEC5C.tmp

Jump to behavior

Source: C:\Users\user\Desktop\PO No. 3200005919.exe

File written: C:\Users\user\Overfurnished\Tuberculisation\Woodwose\Afskede\Hitherunto\Sale\Swedish.ini

Jump to behavior

Source: classification engine

Classification label: mal60.troj.evad.winEXE@1/7@0/0

Source: C:\Users\user\Desktop\PO No. 3200005919.exe

Code function: 0_2_004020FE CoCreateInstance,

0_2_004020FE

Source: C:\Users\user\Desktop\PO No. 3200005919.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO No. 3200005919.exe

Code function: 0_2_00404814 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404814

Source: PO No. 3200005919.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Kelly1076\__HITDisplay__\00_Code\ProArt Code_Git\ProArt\x64\Release\WMIMethod.pdb source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, WMIMethod.dll.0.dr
Source:	Binary string: qipcap.pdb source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr
Source:	Binary string: qipcap.pdb0 source: PO No. 3200005919.exe, 00000000.00000002.760167646.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO No. 3200005919.exe, 00000000.00000002.760693342.0000000002859000.00000004.00000800.00020000.00000000.sdmp, qipcap.dll.0.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.761070766.0000000004020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PO No. 3200005919.exe

Code function: 0_2_10002DE0 push eax; ret

0_2_10002E0E

PE file contains sections with non-standard names

Source: WMIMethod.dll.0.dr	Static PE information: section name: _RDATA
Source: qipcap.dll.0.dr	Static PE information: section name: .00cfg

Drops PE files

Source: C:\Users\user\Desktop\PO No. 3200005919.exe	File created: C:\Users\user\Overfurnished\Tuberculisation\Woodwose\Circularizations126\Iltningernes\Mellivorous\qipcap.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PO No. 3200005919.exe	File created: C:\Users\user\AppData\Local\Temp\nskA46.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PO No. 3200005919.exe	File created: C:\Users\user\Overfurnished\Tuberculisation\Woodwose\Circularizations126\Iltningernes\Mellivorous\WMIMethod.dll	Jump to dropped file

Source: C:\Users\user\Desktop\PO No. 3200005919.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 3200005919.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO No. 3200005919.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\PO No. 3200005919.exe

RDTSC instruction interceptor: First address: 0000000004021F8B second address: 0000000004021F8B instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 97171E49h 0x00000008 cmp ebx, ecx 0x0000000a jc 00007F22E4B28E52h 0x0000000c pushad 0x0000000d mov bl, 19h 0x0000000f cmp bl, 00000019h 0x00000012 jne 00007F22E4B4D606h 0x00000018 popad 0x00000019 test ah, ah 0x0000001b inc ebp 0x0000001c inc ebx 0x0000001d test ax, bx 0x00000020 rdtsc

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\PO No. 3200005919.exe	Dropped PE file which has not been started: C:\Users\user\Overfurnished\Tuberculisation\Woodwose\Circularizations126\Iltningernes\Mellivorous\qipcap.dll			Jump to dropped file
Source: C:\Users\user\Desktop\PO No. 3200005919.exe	Dropped PE file which has not been started: C:\Users\user\Overfurnished\Tuberculisation\Woodwose\Circularizations126\Iltningernes\Mellivorous\WMIMethod.dll			Jump to dropped file

Source: C:\Users\user\Desktop\PO No. 3200005919.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862
Source: C:\Users\user\Desktop\PO No. 3200005919.exe	Code function: 0_2_004066F3 FindFirstFileW,FindClose,	0_2_004066F3
Source: C:\Users\user\Desktop\PO No. 3200005919.exe	Code function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405ABE

Source: C:\Users\user\Desktop\PO No. 3200005919.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\PO No. 3200005919.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\PO No. 3200005919.exe

0_2_00403489

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	755357
Product:	CloudBasic
Start time:	16:13:12
Start date:	28.11.2022
Sample:	PO No. 3200005919.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	9453cdcf8221341d06bac47b8ab3aa19
SHA1:	c35a23cdc61eb42594e1a39a23ccae06399263c0
SHA256:	7490acc48d1659234d61c1716c0d549880a98375f502502b60dcc71b49f7f14f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\nskA46.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	8B3830B9DBF87F84DDD3B26645FED3A0	223BEF1F19E644A610A0877D01EADC9E28299509	F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37
C:\Users\user\Overfurnished\Tuberculisation\Woodwose\Afskede\Hitherunto\Sale\Swedish.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	419178A0AA370FC69EFC1A54202CBFAC	BCACA6EB056D92BF2E4ABACCA16ACD80CA055BE6	9C5948468DD8ADA15A36D7A1F7F5BC9563B7C7602A9BFB3CDC1B70F40C67DE36
C:\Users\user\Overfurnished\Tuberculisation\Woodwose\Airward.Sav	Java JCE KeyStore	DD964C96ACC8FC51404B2205E7E740BD	81396D8F7BC367620BB127671CC324F63730B05F	B42CF7F21B859E1C5D2ACE876913738A979DBF5FE9D4F5BAFFDFF60A0577FCE3
C:\Users\user\Overfurnished\Tuberculisation\Woodwose\Circularizations126\Iltningernes\Mellivorous\Oncosis.syl	data	115DDC0D007BC8ACA7678133CDF5B024	EED3949E406842152A374530E8971C52CB68ED8A	17EABBA40E488BE3A65E30F5ABFA82F4C1E119C3EF484C2C39E9C95E993CA248
C:\Users\user\Overfurnished\Tuberculisation\Woodwose\Circularizations126\Iltningernes\Mellivorous\WMIMethod.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	93FBA0E88958082664890BA74C8463E3	11C4F155494FB93232719AF3BA173EAC6F781CD8	5C8B1D73B57905CB0024B6B00136363BEEF051ED8E1F0EFC7BC72F565AF06175
C:\Users\user\Overfurnished\Tuberculisation\Woodwose\Circularizations126\Iltningernes\Mellivorous\qipcap.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	2D75C46C8030F312DFC2F56A0E016692	F95F12C987AF20A69BA05088B2F9E4F4BEC445AE	AADD6DE734D7585D23833BA5C303313ED2273B2BD3D1B4B7BA55ABC1366FD8DD
C:\Windows\leprousness.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide	113F0C5E3EE1E38568EDBE3A02B34900	2614DC469A25BB5EE1CD7EF1DCFC5EF3731E6B15	71FAA8993B5ED93D7C418794BAE50BBA4E1B78F3A2EE74CAEEF07F82561BD4E5

Windows Analysis Report
PO No. 3200005919.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report PO No. 3200005919.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
PO No. 3200005919.exe