Windows Analysis Report
REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Overview

General Information

Sample Name: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Analysis ID: 756301
MD5: b9f70f4146b846179fa182ac868d0c15
SHA1: 97cb5de0e0cc2f53cd73552f9d5b4381ab5a5907
SHA256: ff235029990af0449ce8f82c5546dfe37170d5e27ce1a22b0a43965a980344be
Tags: exeLoki
Infos:

Detection

GuLoader
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for sample
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Machine Learning detection for sample
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bekvemmeligheder Jump to behavior
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb,,)GCTL source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 0_2_00406555 FindFirstFileW,FindClose, 0_2_00406555
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 0_2_0040287E FindFirstFileW, 0_2_0040287E
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 0_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405A03
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 0_2_004054B0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004054B0
Uses 32bit PE files
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Sample file is different than original file name gathered from version info
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAsOpenFile.exeL vs REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040344A
Detected potential crypto function
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 0_2_004068DA 0_2_004068DA
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 0_2_00404CED 0_2_00404CED
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File read: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Jump to behavior
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040344A
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File created: C:\Users\user\AppData\Local\Folkedansens Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File created: C:\Users\user\AppData\Local\Temp\nsuC2DE.tmp Jump to behavior
Source: classification engine Classification label: mal64.troj.evad.winEXE@1/4@0/0
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 0_2_00402104 CoCreateInstance, 0_2_00402104
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 0_2_00404771 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404771
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bekvemmeligheder Jump to behavior
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb,,)GCTL source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.830514930.00000000030F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.830075184.0000000000694000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Drops PE files
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File created: C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exe Jump to dropped file
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe File created: C:\Users\user\AppData\Local\Temp\nsgC6C9.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe RDTSC instruction interceptor: First address: 00000000030F165F second address: 00000000030F165F instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FEAF0D8C00Fh 0x00000006 cmp bh, dh 0x00000008 cmp ecx, 95C3E464h 0x0000000e inc ebp 0x0000000f cld 0x00000010 inc ebx 0x00000011 cmp dl, al 0x00000013 rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exe Jump to dropped file
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 0_2_00406555 FindFirstFileW,FindClose, 0_2_00406555
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 0_2_0040287E FindFirstFileW, 0_2_0040287E
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 0_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405A03
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe Code function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040344A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756301 Sample: REQUEST FOR OFFER 30-12-202... Startdate: 30/11/2022 Architecture: WINDOWS Score: 64 12 Yara detected GuLoader 2->12 14 Machine Learning detection for sample 2->14 16 Tries to detect virtualization through RDTSC time measurements 2->16 5 REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe 4 30 2->5         started        process3 file4 8 C:\Users\user\AppData\Local\...\System.dll, PE32 5->8 dropped 10 C:\Users\user\AppData\...\AsOpenFile.exe, PE32+ 5->10 dropped
No contacted IP infos