File name:

PO#23754-1.exe

Full analysis: https://app.any.run/tasks/e8e35173-5f82-4ff3-b645-8f7317702ae7
Verdict: Malicious activity
Threats:

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Malware Trends Tracker     >>>
Analysis date: October 19, 2023, 09:52:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
guloader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

C012417C6E5D2210FBE0BC36A79D577B

SHA1:

041EF39A95C810DAF4F02F80E3E858175BB1902E

SHA256:

14D52119459EF12BE3A2F9A3A6578EE3255580F679B1B54DE0990B6BA403B0FE

SSDEEP:

49152:6J8Ma61n8hmcDSjV++dVbOMEwX47zZm8ojgtXt7QF9I4ZLf98FlwhVxIJYYMJOrv:6J8A1MmOs3EwX47zZHosJt7QbZbO4hTQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • PO#23754-1.exe (PID: 3852)
      • PO#23754-1.exe (PID: 3544)

    • GULOADER has been detected (YARA)

      • PO#23754-1.exe (PID: 3852)

    • Loads dropped or rewritten executable

      • PO#23754-1.exe (PID: 3852)
      • PO#23754-1.exe (PID: 3544)

    • Application was dropped or rewritten from another process

      • PO#23754-1.exe (PID: 3852)
      • PO#23754-1.exe (PID: 3544)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • PO#23754-1.exe (PID: 3852)
      • PO#23754-1.exe (PID: 3544)

    • Process drops legitimate windows executable

      • PO#23754-1.exe (PID: 3852)

    • The process creates files with name similar to system file names

      • PO#23754-1.exe (PID: 3852)
      • PO#23754-1.exe (PID: 3544)

  • INFO

    • Reads the computer name

      • PO#23754-1.exe (PID: 3852)
      • PO#23754-1.exe (PID: 3544)

    • Checks supported languages

      • PO#23754-1.exe (PID: 3852)
      • PO#23754-1.exe (PID: 3544)

    • Create files in a temporary directory

      • PO#23754-1.exe (PID: 3852)
      • PO#23754-1.exe (PID: 3544)

    • Manual execution by a user

      • taskmgr.exe (PID: 3268)
      • mmc.exe (PID: 3304)
      • mmc.exe (PID: 2148)
      • WinRAR.exe (PID: 3860)
      • PO#23754-1.exe (PID: 3544)
      • WinRAR.exe (PID: 1796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

guloader

(PID) Process(3852) PO#23754-1.exe
C2 (1)http://bounceclick.live/VVB/COrg_RYGGqN229.bin
Strings (22)C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Msi.dll
Publisher
Software\Microsoft\Windows\CurrentVersion\RunOnce
Startup key
TEMP=
\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
\Microsoft.NET\Framework\v4.0.30319\caspol.exe
\system32\
\syswow64\
advapi32
iertutil.dll
kernel32
ntdll
psapi.dll
shell32
user32
windir=
wininet.dll
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 23:56:47+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x3640
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.29.10.4
ProductVersionNumber: 2.29.10.4
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Felcor Lodging Trust Inc.
CompanyName: Appcelerator, Inc.
FileDescription: TeraByte Unlimited
FileVersion: 3.10.16
LegalCopyright: Hilton Hotels Corp.
LegalTrademarks: Nortek Inc
ProductName: Kimberly-Clark Corporation
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GULOADER po#23754-1.exe no specs taskmgr.exe no specs mmc.exe no specs mmc.exe winrar.exe no specs winrar.exe no specs po#23754-1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1796"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\PO#23754-1.iso" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
1
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
2148"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\System32\mmc.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Management Console
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll
3268"C:\Windows\system32\taskmgr.exe" /4C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3304"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\System32\mmc.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
3544"C:\Users\admin\Desktop\PO#23754-1.exe" C:\Users\admin\Desktop\PO#23754-1.exeexplorer.exe
User:
admin
Company:
Appcelerator, Inc.
Integrity Level:
MEDIUM
Description:
TeraByte Unlimited
Exit code:
0
Version:
3.10.16
Modules
Images
c:\users\admin\desktop\po#23754-1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sechost.dll
3852"C:\Users\admin\Desktop\PO#23754-1.exe" C:\Users\admin\Desktop\PO#23754-1.exe
explorer.exe
User:
admin
Company:
Appcelerator, Inc.
Integrity Level:
MEDIUM
Description:
TeraByte Unlimited
Exit code:
1
Version:
3.10.16
Modules
Images
c:\users\admin\desktop\po#23754-1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
guloader
(PID) Process(3852) PO#23754-1.exe
C2 (1)http://bounceclick.live/VVB/COrg_RYGGqN229.bin
Strings (22)C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Msi.dll
Publisher
Software\Microsoft\Windows\CurrentVersion\RunOnce
Startup key
TEMP=
\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
\Microsoft.NET\Framework\v4.0.30319\caspol.exe
\system32\
\syswow64\
advapi32
iertutil.dll
kernel32
ntdll
psapi.dll
shell32
user32
windir=
wininet.dll
3860"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\PO#23754-1.iso"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
1
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
Total events
1 495
Read events
1 478
Write events
16
Delete events
1

Modification events

(PID) Process:(3304) mmc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{c7b8fb06-bfe1-4c2e-9217-7a69a95bbac4}
Operation:writeName:HelpTopic
Value:
C:\Windows\Help\taskscheduler.chm
(PID) Process:(3304) mmc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{c7b8fb06-bfe1-4c2e-9217-7a69a95bbac4}
Operation:writeName:LinkedHelpTopics
Value:
C:\Windows\Help\taskscheduler.chm
(PID) Process:(3304) mmc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Microsoft Management Console\Recent File List
Operation:delete keyName:(default)
Value:
(PID) Process:(3860) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3860) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
(PID) Process:(3860) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3860) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3860) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3860) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3860) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Operation:writeName:Band56_0
Value:
38000000730100000402000000000000D4D0C800000000000000000000000000CC0113000000000039000000B40200000000000001000000
Executable files
7
Suspicious files
5
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3852PO#23754-1.exeC:\Users\admin\AppData\Local\Temp\rudesbies.Parbinary
MD5:487196ECD966622D96BD5FF5D6E39F00
SHA256:4A1B6B30209C35AB180FA675A769E3285F54597963DD0BB29F7ADB686BA88B79
3852PO#23754-1.exeC:\Users\admin\AppData\Local\Temp\ARMOURY CRATE eGPU Product.exeexecutable
MD5:39981C2A1465413B506246DA3721D9A1
SHA256:19AE2C74ECE76F6AE7074AC31B198D6BF201DDE201B5B31EACA023877241F7B9
3852PO#23754-1.exeC:\Users\admin\AppData\Local\Temp\EBCDIC.mapbinary
MD5:FC2195CEA58424FA0F941E6BEEF00842
SHA256:61CB160BEF793C65996AEDC7742B61BABF0F0EC8342CEA293992352897E96D74
3852PO#23754-1.exeC:\Users\admin\AppData\Local\Temp\edit-clear-rtl-symbolic.svgimage
MD5:E0306CBD506C56A2EFC0AD5B716E5D82
SHA256:7FCDBC9650D8B7D23EA634308C4693C63C464DC29A1F01BD19EDA19B287E48A9
3852PO#23754-1.exeC:\Users\admin\AppData\Local\Temp\preferences-system-time-symbolic.symbolic.pngimage
MD5:0925DDD685FA80B53628DD425D9FF667
SHA256:E712DF36B7D82D547185C58222BECD976CB4039364B84DFD9C87A15913ABF72C
3852PO#23754-1.exeC:\Users\admin\AppData\Local\Temp\pan-start-symbolic-rtl.svgbinary
MD5:0463D94B405B42C5079CB27FEF8FF48F
SHA256:197F7ED3B106A2EEF1E64E33C4DEFB2D4C638CB69C280090964C50D62E9046E2
3852PO#23754-1.exeC:\Users\admin\AppData\Local\Temp\api-ms-win-core-sysinfo-l1-1-0.dllexecutable
MD5:887995A73BC7DDE7B764AFABCE57EFE7
SHA256:F94210B39CDC812BEB7342A47E68673EA2116D0AD9266FCF8D7CEDAA9561FC38
3852PO#23754-1.exeC:\Users\admin\AppData\Local\Temp\Bluetooth Suite help_CHS.chmbinary
MD5:61F393963844C9B470DF60260B433EEF
SHA256:990A82BED0498F2FA1DA7160AF3C06449A7529EBCAE09EAA0F67DF60346A0F3F
3852PO#23754-1.exeC:\Users\admin\AppData\Local\Temp\lang-1092.dllexecutable
MD5:84414E8882E270293EB73F90513207C0
SHA256:DDDAEB8FEF041F2232F0D8D56FCA1D81524414C5B6508BC561C0B2B1C3DDA3E4
3852PO#23754-1.exeC:\Users\admin\AppData\Local\Temp\system-run-symbolic.svgimage
MD5:B5F0AD599938A204B3FDCA3DEE9BC5BA
SHA256:A8D093B9C8DB36FCB276C7CD80580DDE2EAD3B708D02BDF79472C65F9164D457
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
Process
Message
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PO#23754-1.exe