Edit tour

Windows Analysis Report
Order_002376662-579588_Date 24082022.exe

Overview

General Information

Sample Name:	Order_002376662-579588_Date 24082022.exe
Analysis ID:	694559
MD5:	8c2a59bd88b7e2c26045a604ed544288
SHA1:	7efb014d57608ff6a2805baf4dd7c150792e6eb4
SHA256:	0d4b100e641aad426a916cb326d20f8fe44e32ca38f7a85c505135036c6b44af
Infos:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Snort IDS alert for network traffic

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses 32bit PE files

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Creates files inside the system directory

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality for execution timing, often used to detect debuggers

PE file does not import any functions

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

Order_002376662-579588_Date 24082022.exe (PID: 2812 cmdline: "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" MD5: 8C2A59BD88B7E2C26045A604ED544288)

CasPol.exe (PID: 3112 cmdline: "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD)

conhost.exe (PID: 4392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000000.22683438457.0000000000F70000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000004.00000002.27549390202.0000000000F70000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Snort Signatures

ET DNS Query to a .tk domain - Likely Hostile - Source IP: 192.168.11.20 - Destination IP: 1.1.1.1

Timestamp:	192.168.11.201.1.1.150882532012811 09/01/22-00:01:35.227375
SID:	2012811
Source Port:	50882
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Order_002376662-579588_Date 24082022.exe	Virustotal: Detection: 49%	Perma Link
Source: Order_002376662-579588_Date 24082022.exe	Metadefender: Detection: 27%	Perma Link
Source: Order_002376662-579588_Date 24082022.exe	ReversingLabs: Detection: 65%

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Platooned\Ananthropism

Jump to behavior

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\SourceCode\GC3.GPUPowerSaving\production_V4.2.12.3\Service\ConfigEditorCS\obj\Release\GPUPowerSavingConfigEditor.pdb source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0040639C FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_004026F8 FindFirstFileA,

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.11.20:50882 -> 1.1.1.1:53

Source: global traffic

TCP traffic: 192.168.11.20:49785 -> 45.8.132.92:80

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CasPol.exe, 00000004.00000002.27549982400.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.27550375683.000000000110E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.24024275041.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.27550277584.00000000010FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32
Source: CasPol.exe, 00000004.00000002.27549674764.000000000108B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32%dkm(
Source: CasPol.exe, 00000004.00000002.27549982400.00000000010C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u324
Source: CasPol.exe, 00000004.00000002.27549862711.00000000010B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u328c-95ce0233a7ccF_zm
Source: CasPol.exe, 00000004.00000002.27549862711.00000000010B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u328c-95ce0233a7ccs
Source: CasPol.exe, 00000004.00000002.27549862711.00000000010B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u328c-95ce0233a7ccv
Source: CasPol.exe, 00000004.00000002.27549674764.000000000108B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32Ie
Source: CasPol.exe, 00000004.00000002.27549982400.00000000010C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32L
Source: CasPol.exe, 00000004.00000002.27549674764.000000000108B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32Se
Source: CasPol.exe, 00000004.00000002.27549674764.000000000108B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32ee
Source: CasPol.exe, 00000004.00000002.27549982400.00000000010C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32v
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown

DNS traffic detected: queries for: mnhckm.tk

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_004052FE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order_002376662-579588_Date 24082022.exe

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_00406725
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_00404B3D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03510E99
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350035C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350035E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500340
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500B43
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500344
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500F46
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500748
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03507B48
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350674B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501B4C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500F71
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501B7F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350676B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A311
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500316
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A71A
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350031D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350031F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03511B01
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500B00
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501B05
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506306
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500331
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A331
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500333
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500335
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500337
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500339
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350033B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350033E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500321
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500323
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500325
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500327
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350032A
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350032C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350032E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03512F2F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035003D2
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A3DE
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501BC3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500FC8
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500BED
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500396
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A788
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500789
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350078D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500B8F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500BB2
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035063B2
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035007B6
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035003A5
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AFA8
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500E5F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506641
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501A42
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500675
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500260
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AA62
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03502A69
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501E6D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03502A6E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500A6F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506615
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AA16
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500E1C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350021D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350621F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501A0F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506636
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500639
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A623
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AA2D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501E2E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500ED0
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A6D2
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035002D6
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035066DE
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03507AC3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501AC9
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035066F0
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500EF3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501AFA
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035006FB
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500299
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501A81
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506286
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03510A8C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501EB4
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500ABA
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035006BC
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506EBD
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035066A3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03507AA7
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350095B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350015C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500D5D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506148
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03507D4C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A578
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350196C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506510
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501916
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500119
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350091D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350050B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500D3A
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350653A
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501D24
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501926
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03511927
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035019D0
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500DD0
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035079D3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035001D7
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035005FB
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035079FC
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035061EC
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501DEF
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350199E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0351258D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350058C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350018E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350058E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501DB6
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500DA3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500050
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AC45
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506047
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03514446
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03511474
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506077
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500478
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501C7A
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03507C60
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500862
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506466
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500013
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500001
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500403
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350B00C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500831
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500C3B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350743D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035000D3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035004D4
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035008D8
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A4CD
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A0F8
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501CEE
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500499
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350089E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500CB6

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03514ADD NtResumeThread,
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03514446 NtResumeThread,

Source: GPUPowerSavingConfigEditor.dll.2.dr

Static PE information: No import functions for PE file found

Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameGPUPowerSavingConfigEditor.dll< vs Order_002376662-579588_Date 24082022.exe

Source: Order_002376662-579588_Date 24082022.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Order_002376662-579588_Date 24082022.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Section loaded: edgegdi.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: edgegdi.dll

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: invalid certificate

Source: Order_002376662-579588_Date 24082022.exe	Virustotal: Detection: 49%
Source: Order_002376662-579588_Date 24082022.exe	Metadefender: Detection: 27%
Source: Order_002376662-579588_Date 24082022.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

File read: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Jump to behavior

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens

Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

File created: C:\Users\user\AppData\Local\Temp\nsq713A.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winEXE@4/7@1/1

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_004020CB CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_004045CA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4392:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4392:120:WilError_03

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Platooned\Ananthropism

Jump to behavior

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000004.00000000.22683438457.0000000000F70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.27549390202.0000000000F70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_10002D20 push eax; ret
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03509BC5 push eax; ret
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035093CA push edx; retf
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035043FC push 0000007Ah; iretd
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03507B92 push es; iretd
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03508E54 pushad ; retf
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350C24D push ss; ret
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350C278 push ss; ret
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03509209 push edi; ret
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03508E23 pushad ; retf
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350815E push ebx; ret
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03509DA3 push esi; ret
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03508852 push cs; iretd
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035080F8 push ebx; ret
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03505099 push eax; iretd
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03508CB9 pushad ; retf
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035088AC push cs; iretd
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4_2_00F73270 push ecx; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4_2_00F77A4E push cs; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4_2_00F70817 push cs; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4_2_00F739C0 push 0000002Ah; iretd
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4_2_00F71F8B push esp; retf

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Noneffervescently.Cre	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers\Aqua_20.bmp	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Forhaanet.Nab	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\face-cool.png	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79\iso_3166-1.json	Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343143751.0000000003601000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.27550528953.00000000012B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343143751.0000000003601000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: CasPol.exe, 00000004.00000002.27550528953.00000000012B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=HTTP://MNHCKM.TK/EXPCRBJHZ225.U32

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 736

Thread sleep time: -90000s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_0350275D rdtsc

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0040639C FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_004026F8 FindFirstFileA,

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

System information queried: ModuleInformation

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	API call chain: ExitProcess graph end node

Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343143751.0000000003601000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dll
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000004.00000003.24024087034.00000000010E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 00000004.00000002.27550528953.00000000012B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=http://mnhckm.tk/ExpCRBJHZ225.u32
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343143751.0000000003601000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.27550528953.00000000012B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: CasPol.exe, 00000004.00000002.27549862711.00000000010B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_0350275D rdtsc

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AB49 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A311 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03512F2F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03510E7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AA62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AA2D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AC45 mov ebx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AC45 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506047 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350DC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AC04 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AC9B mov ebx, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_03510E99 LdrLoadDll,

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: F70000

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 Windows Service	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Windows Service	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	1 DLL Side-Loading	111 Process Injection	1 Access Token Manipulation	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	111 Process Injection	NTDS	4 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 DLL Side-Loading	1 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Order_002376662-579588_Date 24082022.exe	49%	Virustotal		Browse
Order_002376662-579588_Date 24082022.exe	28%	Metadefender		Browse
Order_002376662-579588_Date 24082022.exe	65%	ReversingLabs	Win32.Trojan.Guloader

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://subca.ocsp-certum.com05	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com02	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com01	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mnhckm.tk	45.8.132.92	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.certum.pl/ctnca2.crl0l	Order_002376662-579588_Date 24082022.exe	false		high
http://repository.certum.pl/ctnca2.cer09	Order_002376662-579588_Date 24082022.exe	false		high
http://crl.certum.pl/ctsca2021.crl0o	Order_002376662-579588_Date 24082022.exe	false		high
http://nsis.sf.net/NSIS_Error	Order_002376662-579588_Date 24082022.exe	false		high
http://repository.certum.pl/ctnca.cer09	Order_002376662-579588_Date 24082022.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	Order_002376662-579588_Date 24082022.exe	false		high
http://repository.certum.pl/ctsca2021.cer0	Order_002376662-579588_Date 24082022.exe	false		high
http://crl.certum.pl/ctnca.crl0k	Order_002376662-579588_Date 24082022.exe	false		high
http://subca.ocsp-certum.com05	Order_002376662-579588_Date 24082022.exe	false	Avira URL Cloud: safe	unknown
http://www.certum.pl/CPS0	Order_002376662-579588_Date 24082022.exe	false		high
http://subca.ocsp-certum.com02	Order_002376662-579588_Date 24082022.exe	false	Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com01	Order_002376662-579588_Date 24082022.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.8.132.92	mnhckm.tk	Germany		61317	ASDETUKhttpwwwheficedcomGB	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	694559
Start date and time:	2022-08-31 23:59:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 32s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Order_002376662-579588_Date 24082022.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@4/7@1/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 24.4% (good quality ratio 24.1%) Quality average: 88.7% Quality standard deviation: 20.8%
HCA Information:	Successful, ratio: 92% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, wdcpalt.microsoft.com, client.wns.windows.com, ctldl.windowsupdate.com, wdcp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target CasPol.exe, PID 3112 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	11264
Entropy (8bit):	5.767999234165119
Encrypted:	false
SSDEEP:	192:cPtkumJX7zBE2kGwfy9S9VkPsFQ1MZ1c:N7O2k5q9wA1MZa
MD5:	C9473CB90D79A374B2BA6040CA16E45C
SHA1:	AB95B54F12796DCE57210D65F05124A6ED81234A
SHA-256:	B80A5CBA69D1853ED5979B0CA0352437BF368A5CFB86CB4528EDADD410E11352
SHA-512:	EAFE7D5894622BC21F663BCA4DD594392EE0F5B29270B6B56B0187093D6A3A103545464FF6398AD32D2CF15DAB79B1F133218BA9BA337DDC01330B5ADA804D7B
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L.....uY...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..^....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Forhaanet.Nab

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	29564
Entropy (8bit):	3.9994965063204706
Encrypted:	false
SSDEEP:	768:K3xU0sST74YF3ZeaYDqKjmgtajzKmFGMiElvFoe2:2Tsusm3ODqK/Imlh
MD5:	61F8A1615921DA63C2609B90984F1D32
SHA1:	D188A91A6745481BB830704854FE61E2A41E0B9A
SHA-256:	DF023F32CE51FF8BA14F1147B1D7644D734AC9EF0FB5CF024A88A495E153EFF0
SHA-512:	9855CCCA3CF01993F04ECC48824FF8AD7084176F8A9411CF8E737FDAB5BB093B3FE19B8098D8206A1DFF546DA59D227D783470A2D1DCE1083C1FBC9661FBB3DC
Malicious:	false
Reputation:	low
Preview:	79F5033C9D5E8CB0E34E74DBA3F160A8A116FFBE99FFC4E7AB4189ABA94B8F01DD34E5CC3D75871F5B27143BFD1FAEF87C50308056EFCBC142ABE1F8C638BE972D7DE340583A9C76BD7ED307EFB159E8EE7844BBA73F5DD7B1DF60CD378221F6BCB008205C718C5C3D2C9978871B0F9B8B02370F79F12DAB84A9C7D793A5181FC249ED6136A6EF71E962E295EF440D9D4B0017F75253D1433B5E2E2BE721069D97AE1E0B31F4FC9F0CD109B46C79BA1D3F88D3DF73715581039E00D83F9F0EC2B48A52CBC4A37AD6779E4997433AB97D75FF78AE1C1AA7755E884D821FD65138A7930C0213E6FE7694ABAF56071B3AF05D5FBC7401A6D776E5FD88DA61BCC05675FF42FCC1CBBE2894A439183B853B6C170C338105B38468CFF07EFEED9A85C335E2F04F08F2DC0F9C3243C5319F3E4256A41FCB22BE16E71B4354F38E090AE14F8E7852031272A2063B58E48D78244C510AE6EE9C5387CFC359D0EE90882CDB81704DD368E0E963E9E0F81DFF503D71BC346492203B0E95A7E6AF23DE1289F222F7DA779BD9B0921560969C5F3FA94C0B3E7C9E627C5ABA4EEEC74E5259BBB5F80C1393C789B98CC7FEE06CB3AC2839022F745C4B8F402C5C24781278401E69ED99F56F08FD67C73117A09362CDAB03ED93295816298F51FBA17DEC31054D3E4A8ACB306B2682E11BDB133A1C1E14017EC7D3BB

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	31456
Entropy (8bit):	6.0996914820635295
Encrypted:	false
SSDEEP:	384:sQ1QmY/8eFuAYNAx4klQvhI0tUA9wZmjML9S/3oche5ZP2TFn0E0C04Haqk6Olkm:s0YvT4ZbzRj1foHGpzkkF2X9Dh/
MD5:	6213DFF7A0CE2E52FD61EC4097DF93E7
SHA1:	4087C8D803EE9E4298AA51EC05E18D020A0A2728
SHA-256:	D12DC4BBDACDE8FC92DCFB384807D793C67B9B7E88D52EE0240E8A1901B80071
SHA-512:	85446886691BE56B027519EB2C823399031CE549AA3BF8155A0E3897AAC04E4E8D960716E40E124E0E4980027CB3EB13241A9CF32D9227470F8E0EA45FFBC79D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..._p.a.........." ..0..T............... ........... ...............................&....`...@......@............... ..................................`............\...............q............................................................... ..H............text....S... ...T.................. ..`.rsrc...`............V..............@..@........................................H.......x?...0..........Hp................................................(.....~....-.r...p.....(....o....s.........~.....~...........V(....re..p~....o....V(....rs..p~....o....V(....r...p~....o....V(....r...p~....o.....~......(....Vs....(....t..........0...........{....o.....{.....3......{.....(....&(.....o .....5...o!...r...p....+A.......~"...(#...,....($....+..r...po%...-..{.....o&...r...p...X....i2...&...{........................0...........{....o.....{.....3.......{.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\face-cool.png

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	845
Entropy (8bit):	7.722985666159481
Encrypted:	false
SSDEEP:	24:47y7zZd6D14lz6mML1mc2TvTl4P5VwbxjoUWBx9:57mD14lz61gTv+P5Vwtj0
MD5:	EFB6B9E41A0DAAB0088A365317A4F635
SHA1:	5D5B2C92BB5870B15BFB383A4C749EE1B71E21AB
SHA-256:	40A5B74A33F7372AC62EC82CA65097B2BF411E6CAF2667C87DA374A06834AD05
SHA-512:	98BACE38224A53CCDA2039CD6089F704762A5D09D67CE924486800205596671A0BFC9A2BE26D36F77BAB7ECAF57E82C3D16739DBDA9FC1027A8E2B784D784C14
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.u..x.[..g]....m.f...m...=..y3...}......V)..&.v.S.}.KYr..<......n.%......q..n.Q.W.j....2....(...N5.....1{......&r/.......dE.1Tg^.!..T..F.C.:T.Ed..<.>.<.r..\.=..OIR.7Q..Ge.\|P..`0....X........>.m.E.p....>...>..M.~...........H4k.7.Z=.d....D.S3..].....f........E.....G.R.....'ND.}.eK...E.....V........ ...........p.g..)&0$...N%dc..n.x:.i..C:...l.Vg^_...r._..9..(....G...$M.....}...u-........}..o..Y.vLA........-Z.K;<.....)...GW.ph..E..c]+.....c.p..#.p[...Q....G.#.....G.......Vu...q....).yl.2.....v.\.0Mz.P/.;B....F..........{.!..T..G.}.._....".2w.m../l.JHs.x..h.....t.....a!.M.....qk. ....IX/@...w.\...2U.....u^.&N3.G..t.......8...Z6].6~..`...+......&.5&.*....ZO...$..Y..%...XF...^s[4...&.nw....?-./..T&.IS.H&.cX"...7..$c........T.9....IEND.B`.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers\Aqua_20.bmp

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3
Category:	dropped
Size (bytes):	8419
Entropy (8bit):	7.8975477212121925
Encrypted:	false
SSDEEP:	192:oXRnOJl+MmnEjHXjbDkd914gmMJrq03QVWpen7d:KRHMmn2XjXQ1VqaQVWs7d
MD5:	EF9954E2C8A46E6F0BB6AAF1E0A7F499
SHA1:	F1639B6632F6B4B472A4A0AD653B82A48B008F6B
SHA-256:	6550954EBF87A006EDA7C80EA5EB26CD51753540C159DEA36E506C811D5261DD
SHA-512:	F00EAD97959335F95B4846A7DA20A51C2B31E255F2C013DB69CF6F595E3C0BCE299C640001E2B265864528B576F161C9105AC237F09A906E74B9AF406D211D6D
Malicious:	false
Preview:	......JFIF.....d.d.....:Exif..MM.......Q...........Q..........aQ..........a.......C....................................................................C.......................................................................n.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(..'...no./.....j..Z?...7..c....Z.....K.+.d....3....I.#..m@X\|S...T.....g.]..eo...#XI...\|D6......D......T.....da<..i5..!.M...I.mC.W.<O.x._...x.......Q..3..<.....4..."...@..p..y..SX.L...v..[....].+_m.k.Y..b.*X.v:..z....A.A.....>......f?..GG....s."..^......=:e@.X.{.- T.........).....g...O......_[.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Noneffervescently.Cre

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	data
Category:	dropped
Size (bytes):	105498
Entropy (8bit):	6.8469376549161245
Encrypted:	false
SSDEEP:	1536:cYUYKcQR5Y+GAjmU8R20KnRFr/ASso1gQa0CozxqDkHHB+Q/vGmHi:cYvuY+1J8R2bFbAYGQa09zxqDk++GmHi
MD5:	34957562BCFF2DAE97F8009F22642EA5
SHA1:	F22431D76E12B5E4AC240E96F6856165C70A01EE
SHA-256:	69823BE330A7C9B93750E25AFB3BC29DC33F7DE4CA7935D787BE29DD80E711D1
SHA-512:	015BE4CE81774A334761017AA7C0E397B2DE9F91904D87CDBA163CBD4C584FCBFF25A6C787595F31ABD0C24970101671C9444139088161F7C3A4E5B1634808A4
Malicious:	false
Preview:	2.1.].F..Q....H........[.Geo.A,S........n...+.\|.......]..r.uh.%.Zng.#.;...2.a.>.....b@....f.m..........@u}.e.-..9...\P.2.(.!.z...#@..u.,.k..A9..q)}.....T...D.{.)f@z.,.....[{o.....)..S.p.&.....#SEu.L..F...mc}.......<..}lV.y.:.Z..N...8.........>.W..O...c9Q1@.~./.....6...... [8-..8EB...C.....X"x..`2[.f..P1..c.?.#.{..EvD....<6.D.,..1;p.b.....W#.4....N.G.).u.u...[JL.i.D.......@...W}).".3m...%.<..[....3.3...-7.z...{..$.lI......7~...lV.....................)y.......S......@:.%2;]u.D..z.3..wv..6[......!..O..zEeT...:.8.../..C.P....H...).&n7-.t.......S...=.8].+..OsD.......v(...K..Ea5.+b.'...?..?.<....'..o.3.`.Zx......3.<..7...~......6.. >z..Z....d.6<..4).+.<...y..A...5.._..M!.$l]9.y.:...7Z.dD....}...C.M!1.Zt.1....0.)q........=..HR....4..Z.&..s.W......q..pRc.Q{........S.X.......@......+..OA.....oyw...b...G..d.\|..b.)............. ..]YE.$.......$7U..7..P.Zh.2e.f...g...(..u...i..KB.....j.. <Lts..)1...O^.X]\|[s...!........._5..$..-t.`#...T

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79\iso_3166-1.json

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	36718
Entropy (8bit):	4.260373998588477
Encrypted:	false
SSDEEP:	192:OU+NvXvwEXFo+Hco8/+8IXAMaM2LkAAVemLK9f8QayVEJUfYZqAmULr:OU+Eo8ZLMaMWlAVemOZwyyOwMAmUX
MD5:	062FC6431BF0FF5F8E7E62587FCBD686
SHA1:	06E2BF1BB06CE408EC2AAE8D9F7A8ABC0371B57D
SHA-256:	78FB090F4A54C8B5970EC04C7511F17EB767275A8D5358604A1E335440678617
SHA-512:	8EC9F46A24C2A0B0C54463EF23D14563DDA2F7D65D8B231B994C8DDA2D5212B4DC697C6DF67B477DD245A2A065023383576A6DB48A335FAB9AFB6AAE7F764194
Malicious:	false
Preview:	{. "3166-1": [. {. "alpha_2": "AW",. "alpha_3": "ABW",. "name": "Aruba",. "numeric": "533". },. {. "alpha_2": "AF",. "alpha_3": "AFG",. "name": "Afghanistan",. "numeric": "004",. "official_name": "Islamic Republic of Afghanistan". },. {. "alpha_2": "AO",. "alpha_3": "AGO",. "name": "Angola",. "numeric": "024",. "official_name": "Republic of Angola". },. {. "alpha_2": "AI",. "alpha_3": "AIA",. "name": "Anguilla",. "numeric": "660". },. {. "alpha_2": "AX",. "alpha_3": "ALA",. "name": ".land Islands",. "numeric": "248". },. {. "alpha_2": "AL",. "alpha_3": "ALB",. "name": "Albania",. "numeric": "008",. "official_name": "Republic of Albania". },. {. "alpha_2": "AD",. "alpha_3": "AND",. "name": "Andorra",. "numeric": "020",. "official_name": "Principality of Andorra". },. {. "alpha_2

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.509543109745029
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Order_002376662-579588_Date 24082022.exe
File size:	195584
MD5:	8c2a59bd88b7e2c26045a604ed544288
SHA1:	7efb014d57608ff6a2805baf4dd7c150792e6eb4
SHA256:	0d4b100e641aad426a916cb326d20f8fe44e32ca38f7a85c505135036c6b44af
SHA512:	ca6d126b62418c1c9fe6b6c0b0418a7253b6200a179af844bd80f67c055375c51d9b268242ea9ff3e15b0c3d867d84c19508229580605cbaac8460fa9a9bec17
SSDEEP:	3072:RNzPHk9MpcDj6OzDjWubsfxAjaWde+mzaOyrxmIW//z7GfvGxkTjk3kfSD:RhRupsfKW7+me6//z7GvQ
TLSH:	7014F11D2507C7BECA53423049BA6A675EF6BA04FC8156436F637A983CD3170822F5BE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...*.uY.................b.........

File Icon


Icon Hash:	90b270f0e260b050

Static PE Info

General

Entrypoint:	0x40330d
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5975952A [Mon Jul 24 06:35:22 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	57e98d9a5a72c8d7ad8fb7a6a58b3daf

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Fights Fratrkning Unnervingly ", OU="nerver Whitebait ", E=Nekrofili@Umiaq.An, O=Stagy, L=Kendallville, S=Indiana, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	20/02/2022 13:26:15 19/02/2025 13:26:15
Subject Chain	CN="Fights Fratrkning Unnervingly ", OU="nerver Whitebait ", E=Nekrofili@Umiaq.An, O=Stagy, L=Kendallville, S=Indiana, C=US
Version:	3
Thumbprint MD5:	8BFEA38B193C49A0622C53FBF7CAADE9
Thumbprint SHA-1:	CA863CD76251E5155366225CECEF5915CDC6B279
Thumbprint SHA-256:	A8B4C4809B973CA3D72051C56C958A1F73702992E831E3DED8796A5C96627D06
Serial:	2F3B028675A5223C

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042472Ch], eax
je 00007FCB6CAB7F03h
push ebx
call 00007FCB6CABAFD2h
cmp eax, ebx
je 00007FCB6CAB7EF9h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007FCB6CABAF4Eh
push esi
call dword ptr [004080A0h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FCB6CAB7EDDh
push 0000000Ah
call 00007FCB6CABAFA6h
push 00000008h
call 00007FCB6CABAF9Fh
push 00000006h
mov dword ptr [00424724h], eax
call 00007FCB6CABAF93h
cmp eax, ebx
je 00007FCB6CAB7F01h
push 0000001Eh
call eax
test eax, eax
je 00007FCB6CAB7EF9h
or byte ptr [0042472Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [00408288h]
mov dword ptr [004247F8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041FCF0h
call dword ptr [00408178h]
push 0040A1ECh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x74d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2d5a0	0x2660	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x603c	0x6200	False	0.6572464923469388	data	6.39361655287636	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1248	0x1400	False	0.4287109375	data	5.044261339836676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1a838	0x400	False	0.6455078125	data	5.223134318413766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x25000	0x17000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c000	0x74d0	0x7600	False	0.4656382415254237	data	4.073204340591157	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3c358	0x25a8	data	English	United States
RT_ICON	0x3e900	0x10a8	data	English	United States
RT_ICON	0x3f9a8	0xea8	data	English	United States
RT_ICON	0x40850	0x988	data	English	United States
RT_ICON	0x411d8	0x8a8	data	English	United States
RT_ICON	0x41a80	0x6c8	data	English	United States
RT_ICON	0x42148	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x426b0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x42b18	0x100	data	English	United States
RT_DIALOG	0x42c18	0x11c	data	English	United States
RT_DIALOG	0x42d38	0xc4	data	English	United States
RT_DIALOG	0x42e00	0x60	data	English	United States
RT_GROUP_ICON	0x42e60	0x76	data	English	United States
RT_VERSION	0x42ed8	0x2b4	data	English	United States
RT_MANIFEST	0x43190	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, Sleep, GetTickCount, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, SetCurrentDirectoryA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, GlobalUnlock, GetDiskFreeSpaceA, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.201.1.1.150882532012811 09/01/22-00:01:35.227375	UDP	2012811	ET DNS Query to a .tk domain - Likely Hostile	50882	53	192.168.11.20	1.1.1.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2022 00:01:35.308299065 CEST	49785	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:36.315388918 CEST	49785	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:38.330445051 CEST	49785	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:40.369848967 CEST	49786	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:41.376629114 CEST	49786	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:43.391850948 CEST	49786	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:45.408461094 CEST	49787	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:46.422430038 CEST	49787	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:48.437733889 CEST	49787	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:50.456871033 CEST	49788	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:51.468318939 CEST	49788	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:53.483436108 CEST	49788	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:55.499950886 CEST	49792	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:56.513902903 CEST	49792	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:58.529259920 CEST	49792	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:00.562407970 CEST	49793	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:01.575304985 CEST	49793	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:03.590568066 CEST	49793	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:05.609458923 CEST	49796	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:06.621233940 CEST	49796	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:08.636473894 CEST	49796	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:10.652667999 CEST	49797	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:11.666898012 CEST	49797	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:13.682023048 CEST	49797	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:15.698669910 CEST	49799	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:16.712882042 CEST	49799	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:18.727937937 CEST	49799	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:20.730597019 CEST	49800	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:21.742830992 CEST	49800	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:23.758183002 CEST	49800	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:25.764751911 CEST	49801	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:26.773145914 CEST	49801	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:28.788141966 CEST	49801	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:30.804523945 CEST	49802	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:31.818802118 CEST	49802	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:33.834007978 CEST	49802	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:35.852221966 CEST	49803	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:36.864648104 CEST	49803	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:38.879693031 CEST	49803	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:40.911767960 CEST	49805	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:41.925821066 CEST	49805	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:43.941128969 CEST	49805	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:45.957909107 CEST	49806	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:46.971666098 CEST	49806	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:48.986955881 CEST	49806	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:51.005455017 CEST	49807	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:52.017404079 CEST	49807	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:54.032732010 CEST	49807	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:56.049453020 CEST	49808	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:57.063225985 CEST	49808	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:59.078370094 CEST	49808	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:01.079262972 CEST	49810	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:02.093373060 CEST	49810	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:04.108613014 CEST	49810	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:06.111105919 CEST	49812	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:07.123639107 CEST	49812	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:09.138787985 CEST	49812	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:11.155225992 CEST	49813	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:12.169295073 CEST	49813	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:14.184425116 CEST	49813	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:16.201354027 CEST	49814	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:17.215018988 CEST	49814	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:19.230299950 CEST	49814	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:21.264312983 CEST	49815	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:22.276478052 CEST	49815	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:24.291551113 CEST	49815	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:26.307991982 CEST	49817	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:27.322268963 CEST	49817	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:29.321742058 CEST	49817	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:31.353950977 CEST	49818	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:32.367949963 CEST	49818	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:34.383192062 CEST	49818	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:36.400821924 CEST	49819	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:37.413822889 CEST	49819	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:39.428946972 CEST	49819	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:41.429650068 CEST	49820	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:42.443809986 CEST	49820	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:44.459158897 CEST	49820	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:46.459882021 CEST	49821	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:47.474100113 CEST	49821	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:49.489119053 CEST	49821	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:51.508166075 CEST	49822	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:52.519743919 CEST	49822	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:54.535005093 CEST	49822	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:56.552083969 CEST	49823	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:57.565715075 CEST	49823	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:59.580818892 CEST	49823	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:01.615175009 CEST	49825	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:02.626914978 CEST	49825	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:04.642173052 CEST	49825	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:06.660598993 CEST	49826	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:07.672652006 CEST	49826	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:09.688244104 CEST	49826	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:11.704653025 CEST	49827	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:12.718499899 CEST	49827	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:14.733779907 CEST	49827	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:16.750761986 CEST	49828	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:17.764363050 CEST	49828	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:19.779428959 CEST	49828	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:21.781795979 CEST	49829	80	192.168.11.20	45.8.132.92

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2022 00:01:35.227375031 CEST	50882	53	192.168.11.20	1.1.1.1
Sep 1, 2022 00:01:35.296704054 CEST	53	50882	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 1, 2022 00:01:35.227375031 CEST	192.168.11.20	1.1.1.1	0x8709	Standard query (0)	mnhckm.tk	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 1, 2022 00:01:35.296704054 CEST	1.1.1.1	192.168.11.20	0x8709	No error (0)	mnhckm.tk		45.8.132.92	A (IP address)	IN (0x0001)

Target ID:	2
Start time:	00:01:06
Start date:	01/09/2022
Path:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"
Imagebase:	0x400000
File size:	195584 bytes
MD5 hash:	8C2A59BD88B7E2C26045A604ED544288
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: CasPol.exePID: 3112, Parent PID: 2812

General

Target ID:	4
Start time:	00:01:25
Start date:	01/09/2022
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"
Imagebase:	0xb90000
File size:	106496 bytes
MD5 hash:	7BAE06CBE364BB42B8C34FCFB90E3EBD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000000.22683438457.0000000000F70000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.27549390202.0000000000F70000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: conhost.exePID: 4392, Parent PID: 3112

General

Target ID:	5
Start time:	00:01:25
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c1b30000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Order_002376662-579588_Date 24082022.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Forhaanet.Nab

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\face-cool.png

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers\Aqua_20.bmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Noneffervescently.Cre

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79\iso_3166-1.json

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
Order_002376662-579588_Date 24082022.exe