Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepPup.14593.15387.exe

Overview

General Information

Sample name:SecuriteInfo.com.FileRepPup.14593.15387.exe
Analysis ID:1400700
MD5:65c6c55ff7a297cb8038ed701d6cdef1
SHA1:70bc9fabbc72224d3ad5ad54211e2e6865aefc9c
SHA256:8f1d957803f3501d26f385df4f2f92408b9bd1cbf825ac7bce3584a495253486
Tags:exe
Infos:

Detection

Score:45
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains capabilities to detect virtual machines
Entry point lies outside standard sections
IP address seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeReversingLabs: Detection: 50%
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeVirustotal: Detection: 48%Perma Link
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeStatic PE information: certificate valid
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Joe Sandbox ViewIP Address: 47.117.76.6 47.117.76.6
Source: global trafficHTTP traffic detected: GET /inst/get3 HTTP/1.1Accept: */*Accept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: api.ludashi.comContent-Length: 184Cache-Control: no-cacheData Raw: 54 43 54 79 36 30 49 76 77 39 5a 57 4d 46 34 56 4e 45 79 50 6b 45 2b 37 4a 6b 55 4f 79 45 34 48 62 6e 79 2b 75 50 78 7a 38 74 72 76 2b 47 4f 6b 54 4d 58 6a 79 4c 75 51 35 53 58 77 31 67 46 51 61 38 65 30 36 52 79 78 6c 78 6c 77 32 64 68 37 79 61 4c 68 6c 49 6c 6d 52 2f 6d 45 41 54 41 74 69 57 52 34 45 76 2f 6e 74 4f 4b 4c 79 62 37 52 41 38 46 54 4e 35 61 4f 68 53 42 76 32 35 73 76 34 58 53 44 64 34 65 4f 52 4c 77 62 45 4e 6c 6b 56 39 68 51 7a 39 46 58 2b 78 48 72 31 6d 54 7a 45 75 6e 2f 38 49 48 6b 58 57 35 68 45 4a 75 2b 44 61 6e 56 2f 67 3d 3d Data Ascii: TCTy60Ivw9ZWMF4VNEyPkE+7JkUOyE4Hbny+uPxz8trv+GOkTMXjyLuQ5SXw1gFQa8e06Ryxlxlw2dh7yaLhlIlmR/mEATAtiWR4Ev/ntOKLyb7RA8FTN5aOhSBv25sv4XSDd4eORLwbENlkV9hQz9FX+xHr1mTzEun/8IHkXW5hEJu+DanV/g==
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_00&type=xzq&action=run&appver=6.1022.1135.1123&modver=6.1022.1135.1123&mid=6039146e22b008fbd61fc0617475e9aa&ex_ary[siteid]=&ex_ary[softid]=&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /downloader/soft/reportNew HTTP/1.1Accept: */*Accept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: softmgr.ludashi.comContent-Length: 268Cache-Control: no-cacheData Raw: 38 6a 34 39 4e 37 65 56 70 61 68 37 6b 78 4c 61 47 39 2b 4b 63 53 4c 4b 72 37 63 75 36 67 56 63 7a 30 48 53 4f 39 6a 53 69 4d 38 70 67 6c 4a 77 6d 33 67 57 52 4a 42 56 66 33 78 54 48 68 2f 66 46 54 41 4f 33 4a 79 57 4e 68 6c 6a 61 4a 4c 33 47 4e 31 53 47 4c 71 47 35 36 74 52 73 53 5a 71 30 48 67 62 55 37 74 73 67 75 6b 41 61 66 39 54 52 48 65 46 68 39 66 76 34 33 44 39 4d 4c 39 47 4d 4b 34 74 79 77 69 43 44 6f 43 6c 37 4c 36 4b 63 53 4e 45 39 65 59 53 70 63 58 50 6b 55 64 39 56 51 38 4c 79 4f 43 53 65 43 6c 35 66 4e 31 53 4a 69 66 6b 74 77 79 4b 55 38 4f 76 54 71 73 46 53 74 68 49 64 79 74 47 65 38 4c 73 4c 75 38 73 77 69 42 67 35 33 7a 4a 6d 4f 62 67 4c 79 32 5a 42 56 37 50 4d 72 6b 77 39 61 76 6e 69 65 75 66 5a 74 74 72 44 4f 53 64 39 48 34 59 44 38 68 55 64 4a 4b 71 33 36 47 72 70 71 45 3d Data Ascii: 8j49N7eVpah7kxLaG9+KcSLKr7cu6gVcz0HSO9jSiM8pglJwm3gWRJBVf3xTHh/fFTAO3JyWNhljaJL3GN1SGLqG56tRsSZq0HgbU7tsgukAaf9TRHeFh9fv43D9ML9GMK4tywiCDoCl7L6KcSNE9eYSpcXPkUd9VQ8LyOCSeCl5fN1SJifktwyKU8OvTqsFSthIdytGe8LsLu8swiBg53zJmObgLy2ZBV7PMrkw9avnieufZttrDOSd9H4YD8hUdJKq36GrpqE=
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /inst/get3 HTTP/1.1Accept: */*Accept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: api.ludashi.comContent-Length: 184Cache-Control: no-cacheData Raw: 54 43 54 79 36 30 49 76 77 39 5a 57 4d 46 34 56 4e 45 79 50 6b 45 2b 37 4a 6b 55 4f 79 45 34 48 62 6e 79 2b 75 50 78 7a 38 74 72 76 2b 47 4f 6b 54 4d 58 6a 79 4c 75 51 35 53 58 77 31 67 46 51 61 38 65 30 36 52 79 78 6c 78 6c 77 32 64 68 37 79 61 4c 68 6c 49 6c 6d 52 2f 6d 45 41 54 41 74 69 57 52 34 45 76 2f 6e 74 4f 4b 4c 79 62 37 52 41 38 46 54 4e 35 61 4f 68 53 42 76 32 35 73 76 34 58 53 44 64 34 65 4f 52 4c 77 62 45 4e 6c 6b 56 39 68 51 7a 39 46 58 2b 78 48 72 31 6d 54 7a 45 75 6e 2f 38 49 48 6b 58 57 35 68 45 4a 75 2b 44 61 6e 56 2f 67 3d 3d Data Ascii: TCTy60Ivw9ZWMF4VNEyPkE+7JkUOyE4Hbny+uPxz8trv+GOkTMXjyLuQ5SXw1gFQa8e06Ryxlxlw2dh7yaLhlIlmR/mEATAtiWR4Ev/ntOKLyb7RA8FTN5aOhSBv25sv4XSDd4eORLwbENlkV9hQz9FX+xHr1mTzEun/8IHkXW5hEJu+DanV/g==
Source: global trafficHTTP traffic detected: GET /url2?pid=buysite_00&type=xzq&action=run&appver=6.1022.1135.1123&modver=6.1022.1135.1123&mid=6039146e22b008fbd61fc0617475e9aa&ex_ary[siteid]=&ex_ary[softid]=&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: unknownDNS traffic detected: queries for: api.ludashi.com
Source: unknownHTTP traffic detected: POST /downloader/soft/reportNew HTTP/1.1Accept: */*Accept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: softmgr.ludashi.comContent-Length: 268Cache-Control: no-cacheData Raw: 38 6a 34 39 4e 37 65 56 70 61 68 37 6b 78 4c 61 47 39 2b 4b 63 53 4c 4b 72 37 63 75 36 67 56 63 7a 30 48 53 4f 39 6a 53 69 4d 38 70 67 6c 4a 77 6d 33 67 57 52 4a 42 56 66 33 78 54 48 68 2f 66 46 54 41 4f 33 4a 79 57 4e 68 6c 6a 61 4a 4c 33 47 4e 31 53 47 4c 71 47 35 36 74 52 73 53 5a 71 30 48 67 62 55 37 74 73 67 75 6b 41 61 66 39 54 52 48 65 46 68 39 66 76 34 33 44 39 4d 4c 39 47 4d 4b 34 74 79 77 69 43 44 6f 43 6c 37 4c 36 4b 63 53 4e 45 39 65 59 53 70 63 58 50 6b 55 64 39 56 51 38 4c 79 4f 43 53 65 43 6c 35 66 4e 31 53 4a 69 66 6b 74 77 79 4b 55 38 4f 76 54 71 73 46 53 74 68 49 64 79 74 47 65 38 4c 73 4c 75 38 73 77 69 42 67 35 33 7a 4a 6d 4f 62 67 4c 79 32 5a 42 56 37 50 4d 72 6b 77 39 61 76 6e 69 65 75 66 5a 74 74 72 44 4f 53 64 39 48 34 59 44 38 68 55 64 4a 4b 71 33 36 47 72 70 71 45 3d Data Ascii: 8j49N7eVpah7kxLaG9+KcSLKr7cu6gVcz0HSO9jSiM8pglJwm3gWRJBVf3xTHh/fFTAO3JyWNhljaJL3GN1SGLqG56tRsSZq0HgbU7tsgukAaf9TRHeFh9fv43D9ML9GMK4tywiCDoCl7L6KcSNE9eYSpcXPkUd9VQ8LyOCSeCl5fN1SJifktwyKU8OvTqsFSthIdytGe8LsLu8swiBg53zJmObgLy2ZBV7PMrkw9avnieufZttrDOSd9H4YD8hUdJKq36GrpqE=
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688692016.0000000003803000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2905101868.0000000003803000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2905101868.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688921763.00000000037ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688921763.0000000003803000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688692016.00000000037EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ludashi.com/inst/get3
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2903095888.00000000008D0000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://api.ludashi.com/inst/get3ck(W
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2904729509.0000000001918000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1948300059.00000000018F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ludashi.com/inst/get3dll
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2905101868.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688921763.00000000037ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688692016.00000000037EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ludashi.com/inst/get3omm
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: http://ocsp.digicert.com0N
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2904729509.0000000001918000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1948300059.00000000018F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/sha2-assured-cs-g1.crlhttp://crl4.digicert.com/sha2
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2904625274.00000000018AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl4.digicert.com/DigiCertAssuredIDRootCA.crlhttp://crl3.digicert.com
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: http://pki-ocsp.symauth.com0
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2903095888.00000000008D0000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://s.ludashi.com/url2?pid=
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688881910.0000000003847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.ludashi.com/url2?pid=buysite_00&type=xzq&action=run&appver=6.1022.1135.1123&modver=6.1022.1
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: http://s.symcd.com06
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2904729509.0000000001918000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1948300059.00000000018F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.comhttp://s.symcb.com/universal-root.crlq
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688921763.0000000003803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softmgr.ludashi.com/downloader/soft/reportNew
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2905101868.00000000037D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softmgr.ludashi.com/downloader/soft/reportNewF
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2905101868.00000000037D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softmgr.ludashi.com/downloader/soft/reportNewb
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2903095888.00000000008D0000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://softmgr.ludashi.com/downloader/soft/reportNewdeque
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2904729509.0000000001918000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1948300059.00000000018F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.comhttp://ts-crl.ws.symantec.com/sha256-tss-ca.crl
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1698132084.0000000004B3C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1698065610.0000000004B3C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1698466335.0000000004B3C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1698391857.0000000004B3C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1698222083.0000000004B3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1704779461.0000000004B3A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2903095888.00000000008D0000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.ludashi.com/lisence.htmlerror
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1694623394.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1695808702.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1693006169.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1692699848.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1694020006.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1694542645.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1695564134.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1694238591.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1692186887.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1692636497.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1692914352.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1694327338.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1691962938.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1692276974.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1696046305.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1691691765.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1693139352.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1692379684.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1695739379.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1691644948.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1691518193.0000000004B41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2904625274.00000000018AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn-file-ssl-pc.ludashi.com/pc/installer/ludashi_home_20221101.dllm
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: https://d.symcb.com/rpa0.
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688281464.0000000003846000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2905101868.0000000003832000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688222984.0000000003844000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688548033.000000000382F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1687988352.0000000003844000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688647146.0000000003846000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688597916.0000000003834000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688881910.0000000003847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2903095888.00000000008D0000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.ludashi.comhttps://www.ludashi.com/page/contact.phpnx
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeMemory allocated: 76E70000 page execute and read and writeJump to behavior
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000000.1637165801.000000000137F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameinst.exe* vs SecuriteInfo.com.FileRepPup.14593.15387.exe
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2904449530.000000000173A000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameinst.exe* vs SecuriteInfo.com.FileRepPup.14593.15387.exe
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeBinary or memory string: OriginalFilenameinst.exe* vs SecuriteInfo.com.FileRepPup.14593.15387.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: netbios.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeSection loaded: textshaping.dllJump to behavior
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal45.evad.winEXE@1/2@3/3
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeFile created: C:\Program Files (x86)\LudashiJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\get3[1].htmJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeMutant created: \Sessions\1\BaseNamedObjects\CUSERSuserAPPDATAROAMINGDOWNLOADERDOWNLOADERLOG
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeMutant created: \Sessions\1\BaseNamedObjects\ThunderMissionDownloadingMutex
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeReversingLabs: Detection: 50%
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeVirustotal: Detection: 48%
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeStatic PE information: certificate valid
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeStatic file information: File size 7030672 > 1048576
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeStatic PE information: Raw size of W1 is bigger than: 0x100000 < 0x647a00
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: initial sampleStatic PE information: section where entry point is pointing to: W1
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeStatic PE information: section name: W0
Source: SecuriteInfo.com.FileRepPup.14593.15387.exeStatic PE information: section name: W1

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeMemory written: PID: 7292 base: 1810005 value: E9 2B BA 6B 75 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeMemory written: PID: 7292 base: 76ECBA30 value: E9 DA 45 94 8A Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeMemory written: PID: 7292 base: 1820008 value: E9 8B 8E 6F 75 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeMemory written: PID: 7292 base: 76F18E90 value: E9 80 71 90 8A Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeMemory written: PID: 7292 base: 1880005 value: E9 8B 4D 37 74 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeMemory written: PID: 7292 base: 75BF4D90 value: E9 7A B2 C8 8B Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeMemory written: PID: 7292 base: 3550005 value: E9 EB EB 6B 72 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeMemory written: PID: 7292 base: 75C0EBF0 value: E9 1A 14 94 8D Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeMemory written: PID: 7292 base: 3560005 value: E9 8B 8A A7 71 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeMemory written: PID: 7292 base: 74FD8A90 value: E9 7A 75 58 8E Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeMemory written: PID: 7292 base: 3570005 value: E9 2B 02 A9 71 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeMemory written: PID: 7292 base: 75000230 value: E9 DA FD 56 8E Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeMemory written: PID: 7292 base: 3580005 value: E9 8B 2F 98 73 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeMemory written: PID: 7292 base: 76F02F90 value: E9 7A D0 67 8C Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2903287088.0000000000924000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeRDTSC instruction interceptor: First address: 0000000000BAF3F8 second address: 0000000000BAF3FB instructions: 0x00000000 rdtsc 0x00000002 popfd 0x00000003 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2905101868.0000000003821000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2905101868.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688921763.0000000003821000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688921763.00000000037ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688692016.0000000003821000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688692016.00000000037EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		2
Masquerading		1
Credential API Hooking		1
Query Registry		Remote Services1
Credential API Hooking		3
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
Virtualization/Sandbox Evasion		LSASS Memory221
Security Software Discovery		Remote Desktop ProtocolData from Removable Media13
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager2
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets123
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.FileRepPup.14593.15387.exe50%ReversingLabs
SecuriteInfo.com.FileRepPup.14593.15387.exe49%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.tiro.com0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://pki-ocsp.symauth.com00%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
https://www.ludashi.comhttps://www.ludashi.com/page/contact.phpnx0%Avira URL Cloudsafe
http://www.founder.com.cn/cn0%Avira URL Cloudsafe
http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
http://www.zhongyicts.com.cn1%VirustotalBrowse
http://www.founder.com.cn/cn0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s.ludashi.com
47.117.76.6
truefalse
    		high
    softmgr.ludashi.com
    		114.116.20.137
    		truefalse
      		high
      api.ludashi.com
      		114.115.218.83
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://api.ludashi.com/inst/get3false
          		high
          http://s.ludashi.com/url2?pid=buysite_00&type=xzq&action=run&appver=6.1022.1135.1123&modver=6.1022.1135.1123&mid=6039146e22b008fbd61fc0617475e9aa&ex_ary[siteid]=&ex_ary[softid]=&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=false
            		high
            http://softmgr.ludashi.com/downloader/soft/reportNewfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://s.ludashi.com/url2?pid=SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2903095888.00000000008D0000.00000002.00000001.01000000.00000003.sdmpfalse
                		high
                http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1698132084.0000000004B3C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1698065610.0000000004B3C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1698466335.0000000004B3C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1698391857.0000000004B3C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1698222083.0000000004B3C000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.comSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://s.ludashi.com/url2?pid=buysite_00&type=xzq&action=run&appver=6.1022.1135.1123&modver=6.1022.1SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688881910.0000000003847000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://softmgr.ludashi.com/downloader/soft/reportNewFSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2905101868.00000000037D0000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers?SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://api.ludashi.com/inst/get3ommSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2905101868.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688921763.00000000037ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1688692016.00000000037EC000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.tiro.comSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crSecuriteInfo.com.FileRepPup.14593.15387.exefalse
                                  		high
                                  http://www.fontbureau.com/designersSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://softmgr.ludashi.com/downloader/soft/reportNewdequeSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2903095888.00000000008D0000.00000002.00000001.01000000.00000003.sdmpfalse
                                      		high
                                      http://www.goodfont.co.krSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07SecuriteInfo.com.FileRepPup.14593.15387.exefalse
                                        		high
                                        http://www.carterandcone.comlSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1694623394.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1695808702.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1693006169.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1692699848.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1694020006.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1694542645.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1695564134.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1694238591.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1692186887.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1692636497.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1692914352.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1694327338.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1691962938.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1692276974.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1696046305.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1691691765.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1693139352.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1692379684.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1695739379.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1691644948.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1691518193.0000000004B41000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/cTheSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 0%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1704779461.0000000004B3A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 0%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-user.htmlSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.ludashi.com/lisence.htmlerrorSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2903095888.00000000008D0000.00000002.00000001.01000000.00000003.sdmpfalse
                                              		high
                                              https://www.ludashi.comhttps://www.ludashi.com/page/contact.phpnxSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2903095888.00000000008D0000.00000002.00000001.01000000.00000003.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://pki-ocsp.symauth.com0SecuriteInfo.com.FileRepPup.14593.15387.exefalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://softmgr.ludashi.com/downloader/soft/reportNewbSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2905101868.00000000037D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://cdn-file-ssl-pc.ludashi.com/pc/installer/ludashi_home_20221101.dllmSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2904625274.00000000018AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://api.ludashi.com/inst/get3ck(WSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2903095888.00000000008D0000.00000002.00000001.01000000.00000003.sdmpfalse
                                                      		high
                                                      http://www.fonts.comSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.sandoll.co.krSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.urwpp.deDPleaseSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.zhongyicts.com.cnSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • 1%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.sakkal.comSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2906638911.0000000005E42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://api.ludashi.com/inst/get3dllSecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000002.2904729509.0000000001918000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepPup.14593.15387.exe, 00000000.00000003.1948300059.00000000018F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          114.116.20.137
                                                          		softmgr.ludashi.comChina
                                                          		4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse
                                                          47.117.76.6
                                                          		s.ludashi.comChina
                                                          		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
                                                          114.115.218.83
                                                          		api.ludashi.comChina
                                                          		4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse

                                                          General Information

                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                          Analysis ID:1400700
                                                          Start date and time:2024-02-29 08:14:15 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 5m 0s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:6
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:SecuriteInfo.com.FileRepPup.14593.15387.exe
                                                          Detection:MAL
                                                          Classification:mal45.evad.winEXE@1/2@3/3
                                                          EGA Information:Failed
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          No simulations

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          114.116.20.137https://cdn-file-ssl.ludashi.com/downloader/temp_package/2023-11/VC11%E8%BF%90%E8%A1%8C%E5%BA%93%E4%B8%8B%E8%BD%BDVC11(VC%20%20%202012)%E5%AE%98%E6%96%B9%E7%89%88(64%E4%BD%8D%2032%E4%BD%8D)%E4%B8%8B%E8%BD%BD@3003_7511@2.1.exeGet hashmaliciousUnknownBrowse
                                                            https://cdn-file-ssl.ludashi.com/downloader/temp_package/2023-06/QQ%E9%9F%B3%E4%B9%90_437919993.exeGet hashmaliciousUnknownBrowse
                                                              XMind #U00e6#U00e7#U00bb#U00b4#U00e5#U00af#U00bc#U00e5#U00be@8001_663@2.8.exeGet hashmaliciousUnknownBrowse
                                                                47.117.76.6https://cdn-file-ssl.ludashi.com/downloader/temp_package/2023-11/VC11%E8%BF%90%E8%A1%8C%E5%BA%93%E4%B8%8B%E8%BD%BDVC11(VC%20%20%202012)%E5%AE%98%E6%96%B9%E7%89%88(64%E4%BD%8D%2032%E4%BD%8D)%E4%B8%8B%E8%BD%BD@3003_7511@2.1.exeGet hashmaliciousUnknownBrowse
                                                                  XMind #U00e6#U00e7#U00bb#U00b4#U00e5#U00af#U00bc#U00e5#U00be@8001_663@2.8.exeGet hashmaliciousUnknownBrowse
                                                                    UM6rAJhKEq.exeGet hashmaliciousUnknownBrowse
                                                                      mAGs0IsoB7.exeGet hashmaliciousUnknownBrowse
                                                                        KuMTnLOuSZ.exeGet hashmaliciousUnknownBrowse
                                                                          KuMTnLOuSZ.exeGet hashmaliciousUnknownBrowse
                                                                            o5ZGIQwDed.exeGet hashmaliciousUnknownBrowse
                                                                              17mqa66sU6.exeGet hashmaliciousUnknownBrowse
                                                                                114.115.218.83https://cdn-file-ssl.ludashi.com/downloader/temp_package/2023-11/VC11%E8%BF%90%E8%A1%8C%E5%BA%93%E4%B8%8B%E8%BD%BDVC11(VC%20%20%202012)%E5%AE%98%E6%96%B9%E7%89%88(64%E4%BD%8D%2032%E4%BD%8D)%E4%B8%8B%E8%BD%BD@3003_7511@2.1.exeGet hashmaliciousUnknownBrowse
                                                                                  https://cdn-file-ssl.ludashi.com/downloader/temp_package/2023-06/QQ%E9%9F%B3%E4%B9%90_437919993.exeGet hashmaliciousUnknownBrowse

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    api.ludashi.comhttps://cdn-file-ssl.ludashi.com/downloader/temp_package/2023-06/QQ%E9%9F%B3%E4%B9%90_437919993.exeGet hashmaliciousUnknownBrowse
                                                                                    • 114.115.218.83
                                                                                    s.ludashi.comSecuriteInfo.com.FileRepMalware.20313.1405.exeGet hashmaliciousUnknownBrowse
                                                                                    • 106.15.48.27
                                                                                    http://api.pdfxd.com/pdf-service/v1/action?os=163842&device_id=741e5fc1b4d58e5b4c3ac5f1dc5a9464&version=&qd=&day=&t=4312453&product=xundu&machine_name=141700Get hashmaliciousUnknownBrowse
                                                                                    • 47.117.76.201
                                                                                    XMind #U00e6#U00e7#U00bb#U00b4#U00e5#U00af#U00bc#U00e5#U00be@8001_663@2.8.exeGet hashmaliciousUnknownBrowse
                                                                                    • 47.117.76.6
                                                                                    UM6rAJhKEq.exeGet hashmaliciousUnknownBrowse
                                                                                    • 47.117.76.6
                                                                                    mAGs0IsoB7.exeGet hashmaliciousUnknownBrowse
                                                                                    • 47.117.76.6
                                                                                    KuMTnLOuSZ.exeGet hashmaliciousUnknownBrowse
                                                                                    • 47.117.70.170
                                                                                    o5ZGIQwDed.exeGet hashmaliciousUnknownBrowse
                                                                                    • 47.117.70.170
                                                                                    UM6rAJhKEq.exeGet hashmaliciousUnknownBrowse
                                                                                    • 106.15.48.27
                                                                                    mAGs0IsoB7.exeGet hashmaliciousUnknownBrowse
                                                                                    • 106.15.48.27
                                                                                    softmgr.ludashi.comhttps://cdn-file-ssl.ludashi.com/downloader/temp_package/2023-06/QQ%E9%9F%B3%E4%B9%90_437919993.exeGet hashmaliciousUnknownBrowse
                                                                                    • 114.116.20.137
                                                                                    XMind #U00e6#U00e7#U00bb#U00b4#U00e5#U00af#U00bc#U00e5#U00be@8001_663@2.8.exeGet hashmaliciousUnknownBrowse
                                                                                    • 114.116.20.137

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtddUhNzDcJw6.elfGet hashmaliciousMiraiBrowse
                                                                                    • 115.28.135.2
                                                                                    EONtj0wYW4.elfGet hashmaliciousMiraiBrowse
                                                                                    • 120.26.230.107
                                                                                    mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                    • 112.125.47.142
                                                                                    x86.elfGet hashmaliciousMiraiBrowse
                                                                                    • 139.251.141.41
                                                                                    https://cbcmcsnsmcbscoerd.agdvir.cn/IP:Get hashmaliciousUnknownBrowse
                                                                                    • 139.196.195.119
                                                                                    iYvjgQcdaB.exeGet hashmaliciousCobaltStrikeBrowse
                                                                                    • 118.31.75.32
                                                                                    NKsImgzWaq.exeGet hashmaliciousCobaltStrikeBrowse
                                                                                    • 118.31.75.32
                                                                                    ZtbAkJUbdl.elfGet hashmaliciousMiraiBrowse
                                                                                    • 118.190.228.116
                                                                                    mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                    • 47.96.52.115
                                                                                    arm7.elfGet hashmaliciousMiraiBrowse
                                                                                    • 8.168.154.111
                                                                                    CHINA169-BJChinaUnicomBeijingProvinceNetworkCNdUhNzDcJw6.elfGet hashmaliciousMiraiBrowse
                                                                                    • 111.193.177.219
                                                                                    EONtj0wYW4.elfGet hashmaliciousMiraiBrowse
                                                                                    • 14.130.96.226
                                                                                    mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                    • 124.207.102.237
                                                                                    x86.elfGet hashmaliciousMiraiBrowse
                                                                                    • 203.93.4.9
                                                                                    jew.x86.elfGet hashmaliciousMiraiBrowse
                                                                                    • 1.95.69.252
                                                                                    u6aBuFUyJo.elfGet hashmaliciousMiraiBrowse
                                                                                    • 111.199.204.213
                                                                                    x86.elfGet hashmaliciousMiraiBrowse
                                                                                    • 113.45.207.159
                                                                                    arm7.elfGet hashmaliciousMiraiBrowse
                                                                                    • 118.199.156.126
                                                                                    5NiE12PYJz.elfGet hashmaliciousMiraiBrowse
                                                                                    • 114.253.184.165
                                                                                    LUNFk2Hgfu.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                    • 1.94.226.225
                                                                                    CHINA169-BJChinaUnicomBeijingProvinceNetworkCNdUhNzDcJw6.elfGet hashmaliciousMiraiBrowse
                                                                                    • 111.193.177.219
                                                                                    EONtj0wYW4.elfGet hashmaliciousMiraiBrowse
                                                                                    • 14.130.96.226
                                                                                    mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                    • 124.207.102.237
                                                                                    x86.elfGet hashmaliciousMiraiBrowse
                                                                                    • 203.93.4.9
                                                                                    jew.x86.elfGet hashmaliciousMiraiBrowse
                                                                                    • 1.95.69.252
                                                                                    u6aBuFUyJo.elfGet hashmaliciousMiraiBrowse
                                                                                    • 111.199.204.213
                                                                                    x86.elfGet hashmaliciousMiraiBrowse
                                                                                    • 113.45.207.159
                                                                                    arm7.elfGet hashmaliciousMiraiBrowse
                                                                                    • 118.199.156.126
                                                                                    5NiE12PYJz.elfGet hashmaliciousMiraiBrowse
                                                                                    • 114.253.184.165
                                                                                    LUNFk2Hgfu.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                    • 1.94.226.225

                                                                                    JA3 Fingerprints

                                                                                    No context

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\Program Files (x86)\Ludashi\{CB78710B-A7D8-4471-A127-53EA07FDF2B2}.tf

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):38
                                                                                    Entropy (8bit):2.650279546195477
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:YlpNyzILL5l:YBy0Jl
                                                                                    MD5:70AA252E3CEDED40C13727828BB3757E
                                                                                    SHA1:04CB993D8B3B27635C7C5B0FE4C33047CA45E519
                                                                                    SHA-256:2813E7B6DFEEEAA5E39C377124F95DA48FD048DE020E1340CD3A96A4831DC207
                                                                                    SHA-512:24BA1AB2AD81A09D2D26403B923911D7D7062659391F1B23C9B9CFA2FF4D5A0A5A9200CA192553352F842C6831DB4CEC0A53693BE175ADBD3D106DC8090DD52F
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview:{.C.B.7.8.7.1.0.B.-.A.7.D.8.-.4.4.7.1.

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\get3[1].htm

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exe
                                                                                    File Type:ASCII text, with very long lines (472), with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):472
                                                                                    Entropy (8bit):5.905019534449515
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:w/AjdNJGfxnTe1RkQgKnX/1dxoxjqCXW8k7:wYpNJGpnq8KnPkXW8S
                                                                                    MD5:D9F56D9FB74A463A1DBF11D95C662FAC
                                                                                    SHA1:088C903EAED1BA256D27FA99512A91408569B3D3
                                                                                    SHA-256:2F367E3C9295DAEE1D2A177F2CCE0DCDF24EC137091EA3B788F197524D5557B6
                                                                                    SHA-512:C59AA0A634710BCBE94CBFD95BCD304DD4A0836A3459634EFCB216C2E01D41C3B34AF4F7E6CE047477456361D5E33868790FCAE05475F093A87B0432CCA0FDC1
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview:TYna9pwhk2RwSlH/eyfuhKKTxMYUpBveXW0l4O7Qt+eOinlf/x8wp8pkx0hIAh8umPoiZ1jC824Q7zV4UNWczR8A1HnzVAhnEFfvkYEKpHnTtsm5C5+Syveh5IQ66xBjY0Ba2hH8PVa8A4uwmv5gkPdvaoOmrBWuLAMS6+uYsbjhWHR5muk0uRC0yqJiKSmpAjYSKE3yW75b8ZvjOFJ0Bk2kL2M2iif3wLCFY5yqjNw14RB5UqTKFlx9dV+6yorts6zXetGS8nz+QR/88ZqP/0nqBBffRdegh88AEoZPFuxeCjLyjreAiDdkO9djwJ13n08NMGi5SrFjb0F1aQG2ND2Agc28HigyxcBw0VkcHt0w+JDxS/nO6EuU7Bo5grZtYvAwgp5POVwbONvou/FEc3mor9OdK0c/fPmYsPcuHOKS8bZmlZ1wDeWqs/WGx2vvukeHE6cw008o1k3tyBzKoA==

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Entropy (8bit):7.924806767866354
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                                    • Windows Screen Saver (13104/52) 0.13%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:SecuriteInfo.com.FileRepPup.14593.15387.exe
                                                                                    File size:7'030'672 bytes
                                                                                    MD5:65c6c55ff7a297cb8038ed701d6cdef1
                                                                                    SHA1:70bc9fabbc72224d3ad5ad54211e2e6865aefc9c
                                                                                    SHA256:8f1d957803f3501d26f385df4f2f92408b9bd1cbf825ac7bce3584a495253486
                                                                                    SHA512:80521a7a5592d6bd52187af31c6a293802a7d654308ec0f3aab234e3e0df294b7439d510973bc8db5ea85bb1a80e5532fdbcf9f75e401935046441065ab1dac6
                                                                                    SSDEEP:98304:2TOYcpeE6kT/hh5UhamPSzGOljFbY/qAt8Z06Sgn6W9BO+xmLaGDaQHmm/z:moehkKhhaz/lBbY/qAtifSZOt8aeb
                                                                                    TLSH:2E6612D3C1A45746D4B35CB60717ACB931BB5E7E82A33579959FBACB010A2C2B633207
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c............................Z.............@.................................U~k...@..........................v..H..

                                                                                    File Icon

                                                                                    Icon Hash:234db2b3f279b34f

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0xd8d55a
                                                                                    Entrypoint Section:W1
                                                                                    Digitally signed:true
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x637F001B [Thu Nov 24 05:24:43 2022 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:5
                                                                                    OS Version Minor:1
                                                                                    File Version Major:5
                                                                                    File Version Minor:1
                                                                                    Subsystem Version Major:5
                                                                                    Subsystem Version Minor:1
                                                                                    Import Hash:1732aecd6461b407fcae9876f36e0b07

                                                                                    Authenticode Signature

                                                                                    Signature Valid:true
                                                                                    Signature Issuer:CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
                                                                                    Signature Validation Error:The operation completed successfully
                                                                                    Error Number:0
                                                                                    Not Before, Not After
                                                                                    • 25/05/2021 01:00:00 29/05/2024 00:59:59
                                                                                    Subject Chain
                                                                                    • CN=Chengdu Qilu Technology Co. Ltd., O=Chengdu Qilu Technology Co. Ltd., L=\u6210\u90fd\u5e02, S=\u56db\u5ddd\u7701, C=CN
                                                                                    Version:3
                                                                                    Thumbprint MD5:187A069F86D379FE84D71BA37D3B2A30
                                                                                    Thumbprint SHA-1:4D7326B46527C9CBEEC83D4368EAF372300FFDCC
                                                                                    Thumbprint SHA-256:A2F571D518EAEF0A67CCC12AD3AAC3F240AA8B39A679E5A2F352700412306CAA
                                                                                    Serial:05DE6C1E6DCB34DF9869AEDC157F0725

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    jmp 00007F0550BB2D6Ah
                                                                                    add esi, dword ptr [edi+00000001h]
                                                                                    add byte ptr [eax], al
                                                                                    jmp 00007F0550CF8127h
                                                                                    cmc
                                                                                    rol eax, 02h
                                                                                    test cx, sp
                                                                                    xor eax, 05AB56C9h
                                                                                    xor ebx, eax
                                                                                    add edi, eax
                                                                                    push edi
                                                                                    ret
                                                                                    jmp 00007F055073E6B8h
                                                                                    inc eax
                                                                                    rol eax, 1
                                                                                    xor eax, 463E20AAh
                                                                                    sub eax, 0AE54F70h
                                                                                    clc
                                                                                    rol eax, 03h
                                                                                    xor ebx, eax
                                                                                    add edi, eax
                                                                                    jmp 00007F0550C2330Dh
                                                                                    push esi
                                                                                    inc eax
                                                                                    xadd dh, dh
                                                                                    inc esp
                                                                                    xor dword ptr [esp], eax
                                                                                    sub si, 3AC6h
                                                                                    pop esi
                                                                                    clc
                                                                                    inc ebp
                                                                                    test bl, ch
                                                                                    jmp 00007F0550767FC0h
                                                                                    add edx, 40F6415Ah
                                                                                    cmc
                                                                                    ror edx, 02h
                                                                                    jmp 00007F0550BF0BD7h
                                                                                    jmp ebp
                                                                                    push 28C52BFFh
                                                                                    call 00007F0550C3A402h
                                                                                    jmp 00007F055079575Dh
                                                                                    dec ecx
                                                                                    jmp 00007F0550B598FDh
                                                                                    jmp edi
                                                                                    dec al
                                                                                    adc edx, 4E96688Dh
                                                                                    bswap dx
                                                                                    xor al, DCh
                                                                                    xor bl, al
                                                                                    btc edx, FFFFFFA1h
                                                                                    not edx
                                                                                    or edx, 67A75CC9h
                                                                                    push esi
                                                                                    rcl dl, FFFFFF85h
                                                                                    push edi
                                                                                    mov dl, 7Ch
                                                                                    push ebx
                                                                                    bsf dx, sp
                                                                                    mov ebx, eax
                                                                                    rcr al, cl
                                                                                    mov edx, ebx
                                                                                    sbb eax, ecx
                                                                                    sar eax, cl
                                                                                    shl edx, 02h
                                                                                    bswap eax
                                                                                    mov eax, ebp
                                                                                    lea eax, dword ptr [eax+edx]
                                                                                    mov dword ptr [ebp-04h], eax
                                                                                    test edi, edx
                                                                                    test ebx, ebx
                                                                                    je 00007F0551B7FFD5h

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0xa276d40x48W1
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x4d89140xc8W1
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb0e0000x6a481.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x6b2c000x1b90W1
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xb0d0000x61c.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x98c2040x20W1
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb0c1700x40W1
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x51b0000x590W1
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xa22e3c0x1e0W1
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x9e8bc0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0xa00000x256c40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0xc60000x2d8980x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    W00xf40000x3d0d1d0x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    W10x4c50000x6478a00x647a00d2408f617ef9d8d6746baa88c4fa37d0unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .reloc0xb0d0000x61c0x800f01993903ff2aa59cb7eaba0f30d7f1fFalse0.40576171875data3.5076762374625647IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0xb0e0000x6a4810x6a60053b621849964c4d2e8bb123af6a7b0dcFalse0.18665311031139836data5.713069070818205IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_ICON0xb0e2800x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336ChineseChina0.1611829452318253
                                                                                    RT_ICON0xb502a80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584ChineseChina0.17694901218502307
                                                                                    RT_ICON0xb60ad00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016ChineseChina0.2541517763296195
                                                                                    RT_ICON0xb69f780x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600ChineseChina0.2825323475046211
                                                                                    RT_ICON0xb6f4000x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896ChineseChina0.24687057156353331
                                                                                    RT_ICON0xb736280x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600ChineseChina0.38765560165975105
                                                                                    RT_ICON0xb75bd00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224ChineseChina0.4026735459662289
                                                                                    RT_ICON0xb76c780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088ChineseChina0.6702127659574468
                                                                                    RT_GROUP_ICON0xb770e00x76dataChineseChina0.7457627118644068
                                                                                    RT_VERSION0xb771580x290MS Windows COFF PA-RISC object fileChineseChina0.49390243902439024
                                                                                    RT_MANIFEST0xb773e80x1099exported SGML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.21440338903271358

                                                                                    Imports

                                                                                    DLLImport
                                                                                    KERNEL32.dllHeapDestroy, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, SetFilePointer, CloseHandle, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, CreateFileW, OpenProcess, GetCurrentProcessId, GetLastError, SetLastError, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, WaitForSingleObject, CreateMutexW, GetModuleFileNameW, RaiseException, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, MultiByteToWideChar, LockResource, GetProcAddress, GetCurrentProcess, SetEvent, LoadResource, SizeofResource, CreateEventW, GetModuleHandleW, FindResourceW, FindResourceExW, GetVersionExW, GlobalAlloc, GlobalLock, GlobalUnlock, GlobalFree, FreeLibrary, ReadFile, GetTickCount, LoadLibraryW, CreateProcessW, GetStartupInfoW, GetTempPathW, SetFileAttributesW, MoveFileExW, DeleteFileA, WideCharToMultiByte, DecodePointer, InterlockedIncrement, InterlockedDecrement, lstrcmpiW, LoadLibraryExW, LocalFree, FindClose, RemoveDirectoryW, DeleteFileW, FindFirstFileW, FindNextFileW, WriteFile, GetLogicalDriveStringsW, GetDriveTypeW, GetDiskFreeSpaceExW, Sleep, WaitForSingleObjectEx, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExW, ReadConsoleW, SetEndOfFile, SetStdHandle, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, WriteConsoleW, GetACP, GetStdHandle, ExitProcess, GetTimeZoneInformation, GetConsoleMode, GetConsoleCP, SetFilePointerEx, GetFileType, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, RtlUnwind, CreateFileA, lstrcmpiA, lstrcmpA, DeviceIoControl, GetSystemWindowsDirectoryW, FreeResource, InterlockedCompareExchange, ResetEvent, ResumeThread, SuspendThread, GetThreadContext, GetThreadPriority, SetThreadPriority, OpenThread, GetCurrentThread, GetWindowsDirectoryW, GetSystemDirectoryW, FlushFileBuffers, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, ReleaseMutex, GetCPInfo, GetLocaleInfoW, LCMapStringW, CompareStringW, GetSystemTimeAsFileTime, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, SwitchToThread, FormatMessageW, GetStringTypeW, GetFileSizeEx, OpenFileMappingW, VirtualFree, VirtualAlloc, IsProcessorFeaturePresent, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsDebuggerPresent, OutputDebugStringW, EncodePointer, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache
                                                                                    USER32.dllGetCursorPos, SetForegroundWindow, TrackPopupMenu, AppendMenuW, CreatePopupMenu, RedrawWindow, LoadImageW, LoadIconW, FindWindowW, SetWindowTextW, GetSystemMetrics, MoveWindow, PostQuitMessage, SendMessageTimeoutW, CharNextW, PeekMessageW, DispatchMessageW, TranslateMessage, GetMessageW, GetShellWindow, WaitForInputIdle, SystemParametersInfoW, SetWindowRgn, IsWindowVisible, UpdateLayeredWindow, ShowWindow, GetMonitorInfoW, IsDialogMessageW, GetWindow, GetParent, MapWindowPoints, ScreenToClient, GetWindowRect, EndDialog, MonitorFromWindow, BringWindowToTop, SetWindowPos, IsRectEmpty, SetCursor, CopyRect, PtInRect, OffsetRect, SetRect, IsWindow, ReleaseDC, GetDC, KillTimer, SetTimer, GetClientRect, GetWindowTextLengthW, GetWindowTextW, InvalidateRect, EndPaint, BeginPaint, DrawTextW, LoadCursorW, SetWindowLongW, GetWindowLongW, DestroyWindow, CreateWindowExW, GetClassInfoExW, RegisterClassExW, UnregisterClassW, CallWindowProcW, DefWindowProcW, PostMessageW, SendMessageW, GetWindowThreadProcessId, wsprintfW, DialogBoxParamW
                                                                                    OLEAUT32.dllVarUI4FromStr, SysFreeString, SysAllocString
                                                                                    dbghelp.dllMakeSureDirectoryPathExists
                                                                                    WTSAPI32.dllWTSSendMessageW
                                                                                    KERNEL32.dllVirtualQuery, GetSystemTimeAsFileTime, GetModuleHandleA, CreateEventA, GetModuleFileNameW, LoadLibraryA, TerminateProcess, GetCurrentProcess, GetSystemInfo, CreateToolhelp32Snapshot, Thread32First, GetCurrentProcessId, GetCurrentThreadId, OpenThread, Thread32Next, CloseHandle, SuspendThread, ResumeThread, WriteProcessMemory, VirtualAlloc, VirtualProtect, VirtualFree, GetProcessAffinityMask, SetProcessAffinityMask, GetCurrentThread, SetThreadAffinityMask, Sleep, FreeLibrary, GetTickCount, GlobalFree, GetProcAddress, LocalAlloc, LocalFree, ExitProcess, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, GetModuleHandleW, LoadResource, MultiByteToWideChar, FindResourceExW, FindResourceExA, WideCharToMultiByte, GetThreadLocale, GetUserDefaultLCID, GetSystemDefaultLCID, EnumResourceNamesA, EnumResourceNamesW, EnumResourceLanguagesA, EnumResourceLanguagesW, EnumResourceTypesA, EnumResourceTypesW, CreateFileW, LoadLibraryW, GetLastError, FlushFileBuffers, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, GetCommandLineA, RaiseException, RtlUnwind, HeapFree, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, LCMapStringA, LCMapStringW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, HeapDestroy, QueryPerformanceCounter, HeapReAlloc, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, WriteFile, SetFilePointer, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, SetStdHandle
                                                                                    USER32.dllGetUserObjectInformationW, CharUpperBuffW, MessageBoxW, GetProcessWindowStation
                                                                                    KERNEL32.dllLocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
                                                                                    USER32.dllGetProcessWindowStation, GetUserObjectInformationW

                                                                                    Exports

                                                                                    NameOrdinalAddress
                                                                                    _Start@1210x426d50

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    ChineseChina
                                                                                    EnglishUnited States

                                                                                    Network Behavior

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Feb 29, 2024 08:15:06.163306952 CET4973280192.168.2.4114.115.218.83
                                                                                    Feb 29, 2024 08:15:06.496167898 CET8049732114.115.218.83192.168.2.4
                                                                                    Feb 29, 2024 08:15:06.496305943 CET4973280192.168.2.4114.115.218.83
                                                                                    Feb 29, 2024 08:15:06.496752024 CET4973280192.168.2.4114.115.218.83
                                                                                    Feb 29, 2024 08:15:06.829549074 CET8049732114.115.218.83192.168.2.4
                                                                                    Feb 29, 2024 08:15:06.830378056 CET8049732114.115.218.83192.168.2.4
                                                                                    Feb 29, 2024 08:15:06.830446959 CET4973280192.168.2.4114.115.218.83
                                                                                    Feb 29, 2024 08:15:06.830493927 CET8049732114.115.218.83192.168.2.4
                                                                                    Feb 29, 2024 08:15:06.830559015 CET4973280192.168.2.4114.115.218.83
                                                                                    Feb 29, 2024 08:15:07.604254961 CET4973380192.168.2.447.117.76.6
                                                                                    Feb 29, 2024 08:15:07.665327072 CET4973480192.168.2.4114.116.20.137
                                                                                    Feb 29, 2024 08:15:07.929491997 CET804973347.117.76.6192.168.2.4
                                                                                    Feb 29, 2024 08:15:07.929745913 CET4973380192.168.2.447.117.76.6
                                                                                    Feb 29, 2024 08:15:07.930603027 CET4973380192.168.2.447.117.76.6
                                                                                    Feb 29, 2024 08:15:07.972755909 CET8049734114.116.20.137192.168.2.4
                                                                                    Feb 29, 2024 08:15:07.972883940 CET4973480192.168.2.4114.116.20.137
                                                                                    Feb 29, 2024 08:15:07.973167896 CET4973480192.168.2.4114.116.20.137
                                                                                    Feb 29, 2024 08:15:08.255781889 CET804973347.117.76.6192.168.2.4
                                                                                    Feb 29, 2024 08:15:08.258682966 CET804973347.117.76.6192.168.2.4
                                                                                    Feb 29, 2024 08:15:08.258758068 CET4973380192.168.2.447.117.76.6
                                                                                    Feb 29, 2024 08:15:08.280404091 CET8049734114.116.20.137192.168.2.4
                                                                                    Feb 29, 2024 08:15:08.282279015 CET8049734114.116.20.137192.168.2.4
                                                                                    Feb 29, 2024 08:15:08.282315969 CET8049734114.116.20.137192.168.2.4
                                                                                    Feb 29, 2024 08:15:08.282381058 CET4973480192.168.2.4114.116.20.137
                                                                                    Feb 29, 2024 08:15:08.284986973 CET4973480192.168.2.4114.116.20.137
                                                                                    Feb 29, 2024 08:15:09.258765936 CET804973347.117.76.6192.168.2.4
                                                                                    Feb 29, 2024 08:15:09.258841038 CET4973380192.168.2.447.117.76.6
                                                                                    Feb 29, 2024 08:15:23.282679081 CET8049734114.116.20.137192.168.2.4
                                                                                    Feb 29, 2024 08:15:23.282824039 CET4973480192.168.2.4114.116.20.137
                                                                                    Feb 29, 2024 08:16:55.946000099 CET4973380192.168.2.447.117.76.6
                                                                                    Feb 29, 2024 08:16:56.742573977 CET4973380192.168.2.447.117.76.6
                                                                                    Feb 29, 2024 08:16:58.336330891 CET4973380192.168.2.447.117.76.6
                                                                                    Feb 29, 2024 08:17:01.523850918 CET4973380192.168.2.447.117.76.6
                                                                                    Feb 29, 2024 08:17:07.898943901 CET4973380192.168.2.447.117.76.6

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Feb 29, 2024 08:15:05.982753038 CET6492653192.168.2.41.1.1.1
                                                                                    Feb 29, 2024 08:15:06.136312962 CET53649261.1.1.1192.168.2.4
                                                                                    Feb 29, 2024 08:15:07.508533955 CET5566153192.168.2.41.1.1.1
                                                                                    Feb 29, 2024 08:15:07.514194965 CET6345853192.168.2.41.1.1.1
                                                                                    Feb 29, 2024 08:15:07.602580070 CET53634581.1.1.1192.168.2.4
                                                                                    Feb 29, 2024 08:15:07.663695097 CET53556611.1.1.1192.168.2.4

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Feb 29, 2024 08:15:05.982753038 CET192.168.2.41.1.1.10xcc1cStandard query (0)api.ludashi.comA (IP address)IN (0x0001)false
                                                                                    Feb 29, 2024 08:15:07.508533955 CET192.168.2.41.1.1.10xe42aStandard query (0)softmgr.ludashi.comA (IP address)IN (0x0001)false
                                                                                    Feb 29, 2024 08:15:07.514194965 CET192.168.2.41.1.1.10xbaf5Standard query (0)s.ludashi.comA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Feb 29, 2024 08:15:06.136312962 CET1.1.1.1192.168.2.40xcc1cNo error (0)api.ludashi.com114.115.218.83A (IP address)IN (0x0001)false
                                                                                    Feb 29, 2024 08:15:07.602580070 CET1.1.1.1192.168.2.40xbaf5No error (0)s.ludashi.com47.117.76.6A (IP address)IN (0x0001)false
                                                                                    Feb 29, 2024 08:15:07.663695097 CET1.1.1.1192.168.2.40xe42aNo error (0)softmgr.ludashi.com114.116.20.137A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • api.ludashi.com
                                                                                    • s.ludashi.com
                                                                                    • softmgr.ludashi.com

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.449732114.115.218.83807292C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Feb 29, 2024 08:15:06.496752024 CET478OUTGET /inst/get3 HTTP/1.1
                                                                                    Accept: */*
                                                                                    Accept-Language: zh-CN,zh;q=0.9
                                                                                    Connection: Keep-Alive
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36
                                                                                    Host: api.ludashi.com
                                                                                    Content-Length: 184
                                                                                    Cache-Control: no-cache
                                                                                    Data Raw: 54 43 54 79 36 30 49 76 77 39 5a 57 4d 46 34 56 4e 45 79 50 6b 45 2b 37 4a 6b 55 4f 79 45 34 48 62 6e 79 2b 75 50 78 7a 38 74 72 76 2b 47 4f 6b 54 4d 58 6a 79 4c 75 51 35 53 58 77 31 67 46 51 61 38 65 30 36 52 79 78 6c 78 6c 77 32 64 68 37 79 61 4c 68 6c 49 6c 6d 52 2f 6d 45 41 54 41 74 69 57 52 34 45 76 2f 6e 74 4f 4b 4c 79 62 37 52 41 38 46 54 4e 35 61 4f 68 53 42 76 32 35 73 76 34 58 53 44 64 34 65 4f 52 4c 77 62 45 4e 6c 6b 56 39 68 51 7a 39 46 58 2b 78 48 72 31 6d 54 7a 45 75 6e 2f 38 49 48 6b 58 57 35 68 45 4a 75 2b 44 61 6e 56 2f 67 3d 3d
                                                                                    Data Ascii: TCTy60Ivw9ZWMF4VNEyPkE+7JkUOyE4Hbny+uPxz8trv+GOkTMXjyLuQ5SXw1gFQa8e06Ryxlxlw2dh7yaLhlIlmR/mEATAtiWR4Ev/ntOKLyb7RA8FTN5aOhSBv25sv4XSDd4eORLwbENlkV9hQz9FX+xHr1mTzEun/8IHkXW5hEJu+DanV/g==
                                                                                    Feb 29, 2024 08:15:06.830378056 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0
                                                                                    Feb 29, 2024 08:15:06.830493927 CET688INHTTP/1.1 200 OK
                                                                                    Date: Thu, 29 Feb 2024 07:15:06 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    Vary: Accept-Encoding
                                                                                    X-Powered-By: PHP/7.1.8
                                                                                    Server: elb
                                                                                    Data Raw: 31 64 38 0d 0a 54 59 6e 61 39 70 77 68 6b 32 52 77 53 6c 48 2f 65 79 66 75 68 4b 4b 54 78 4d 59 55 70 42 76 65 58 57 30 6c 34 4f 37 51 74 2b 65 4f 69 6e 6c 66 2f 78 38 77 70 38 70 6b 78 30 68 49 41 68 38 75 6d 50 6f 69 5a 31 6a 43 38 32 34 51 37 7a 56 34 55 4e 57 63 7a 52 38 41 31 48 6e 7a 56 41 68 6e 45 46 66 76 6b 59 45 4b 70 48 6e 54 74 73 6d 35 43 35 2b 53 79 76 65 68 35 49 51 36 36 78 42 6a 59 30 42 61 32 68 48 38 50 56 61 38 41 34 75 77 6d 76 35 67 6b 50 64 76 61 6f 4f 6d 72 42 57 75 4c 41 4d 53 36 2b 75 59 73 62 6a 68 57 48 52 35 6d 75 6b 30 75 52 43 30 79 71 4a 69 4b 53 6d 70 41 6a 59 53 4b 45 33 79 57 37 35 62 38 5a 76 6a 4f 46 4a 30 42 6b 32 6b 4c 32 4d 32 69 69 66 33 77 4c 43 46 59 35 79 71 6a 4e 77 31 34 52 42 35 55 71 54 4b 46 6c 78 39 64 56 2b 36 79 6f 72 74 73 36 7a 58 65 74 47 53 38 6e 7a 2b 51 52 2f 38 38 5a 71 50 2f 30 6e 71 42 42 66 66 52 64 65 67 68 38 38 41 45 6f 5a 50 46 75 78 65 43 6a 4c 79 6a 72 65 41 69 44 64 6b 4f 39 64 6a 77 4a 31 33 6e 30 38 4e 4d 47 69 35 53 72 46 6a 62 30 46 31 61 51 47 32 4e 44 32 41 67 63 32 38 48 69 67 79 78 63 42 77 30 56 6b 63 48 74 30 77 2b 4a 44 78 53 2f 6e 4f 36 45 75 55 37 42 6f 35 67 72 5a 74 59 76 41 77 67 70 35 50 4f 56 77 62 4f 4e 76 6f 75 2f 46 45 63 33 6d 6f 72 39 4f 64 4b 30 63 2f 66 50 6d 59 73 50 63 75 48 4f 4b 53 38 62 5a 6d 6c 5a 31 77 44 65 57 71 73 2f 57 47 78 32 76 76 75 6b 65 48 45 36 63 77 30 30 38 6f 31 6b 33 74 79 42 7a 4b 6f 41 3d 3d 0d 0a
                                                                                    Data Ascii: 1d8TYna9pwhk2RwSlH/eyfuhKKTxMYUpBveXW0l4O7Qt+eOinlf/x8wp8pkx0hIAh8umPoiZ1jC824Q7zV4UNWczR8A1HnzVAhnEFfvkYEKpHnTtsm5C5+Syveh5IQ66xBjY0Ba2hH8PVa8A4uwmv5gkPdvaoOmrBWuLAMS6+uYsbjhWHR5muk0uRC0yqJiKSmpAjYSKE3yW75b8ZvjOFJ0Bk2kL2M2iif3wLCFY5yqjNw14RB5UqTKFlx9dV+6yorts6zXetGS8nz+QR/88ZqP/0nqBBffRdegh88AEoZPFuxeCjLyjreAiDdkO9djwJ13n08NMGi5SrFjb0F1aQG2ND2Agc28HigyxcBw0VkcHt0w+JDxS/nO6EuU7Bo5grZtYvAwgp5POVwbONvou/FEc3mor9OdK0c/fPmYsPcuHOKS8bZmlZ1wDeWqs/WGx2vvukeHE6cw008o1k3tyBzKoA==


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.44973347.117.76.6807292C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Feb 29, 2024 08:15:07.930603027 CET492OUTGET /url2?pid=buysite_00&type=xzq&action=run&appver=6.1022.1135.1123&modver=6.1022.1135.1123&mid=6039146e22b008fbd61fc0617475e9aa&ex_ary[siteid]=&ex_ary[softid]=&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]= HTTP/1.1
                                                                                    Accept: */*
                                                                                    Accept-Encoding: gzip, deflate
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                    Host: s.ludashi.com
                                                                                    Connection: Keep-Alive
                                                                                    Feb 29, 2024 08:15:08.258682966 CET228INHTTP/1.1 200 OK
                                                                                    Date: Thu, 29 Feb 2024 07:15:08 GMT
                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                    Content-Length: 0
                                                                                    Connection: keep-alive
                                                                                    Last-Modified: Sat, 28 Dec 2019 01:45:27 GMT
                                                                                    ETag: "5e06b3b7-0"
                                                                                    Accept-Ranges: bytes


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.449734114.116.20.137807292C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Feb 29, 2024 08:15:07.973167896 CET583OUTPOST /downloader/soft/reportNew HTTP/1.1
                                                                                    Accept: */*
                                                                                    Accept-Language: zh-CN,zh;q=0.9
                                                                                    Connection: Keep-Alive
                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36
                                                                                    Host: softmgr.ludashi.com
                                                                                    Content-Length: 268
                                                                                    Cache-Control: no-cache
                                                                                    Data Raw: 38 6a 34 39 4e 37 65 56 70 61 68 37 6b 78 4c 61 47 39 2b 4b 63 53 4c 4b 72 37 63 75 36 67 56 63 7a 30 48 53 4f 39 6a 53 69 4d 38 70 67 6c 4a 77 6d 33 67 57 52 4a 42 56 66 33 78 54 48 68 2f 66 46 54 41 4f 33 4a 79 57 4e 68 6c 6a 61 4a 4c 33 47 4e 31 53 47 4c 71 47 35 36 74 52 73 53 5a 71 30 48 67 62 55 37 74 73 67 75 6b 41 61 66 39 54 52 48 65 46 68 39 66 76 34 33 44 39 4d 4c 39 47 4d 4b 34 74 79 77 69 43 44 6f 43 6c 37 4c 36 4b 63 53 4e 45 39 65 59 53 70 63 58 50 6b 55 64 39 56 51 38 4c 79 4f 43 53 65 43 6c 35 66 4e 31 53 4a 69 66 6b 74 77 79 4b 55 38 4f 76 54 71 73 46 53 74 68 49 64 79 74 47 65 38 4c 73 4c 75 38 73 77 69 42 67 35 33 7a 4a 6d 4f 62 67 4c 79 32 5a 42 56 37 50 4d 72 6b 77 39 61 76 6e 69 65 75 66 5a 74 74 72 44 4f 53 64 39 48 34 59 44 38 68 55 64 4a 4b 71 33 36 47 72 70 71 45 3d
                                                                                    Data Ascii: 8j49N7eVpah7kxLaG9+KcSLKr7cu6gVcz0HSO9jSiM8pglJwm3gWRJBVf3xTHh/fFTAO3JyWNhljaJL3GN1SGLqG56tRsSZq0HgbU7tsgukAaf9TRHeFh9fv43D9ML9GMK4tywiCDoCl7L6KcSNE9eYSpcXPkUd9VQ8LyOCSeCl5fN1SJifktwyKU8OvTqsFSthIdytGe8LsLu8swiBg53zJmObgLy2ZBV7PMrkw9avnieufZttrDOSd9H4YD8hUdJKq36GrpqE=
                                                                                    Feb 29, 2024 08:15:08.282279015 CET279INHTTP/1.1 200 OK
                                                                                    Date: Thu, 29 Feb 2024 07:15:08 GMT
                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: keep-alive
                                                                                    Vary: Accept-Encoding
                                                                                    X-Powered-By: PHP/7.1.8
                                                                                    Server: elb
                                                                                    Data Raw: 34 30 0d 0a 33 73 53 57 46 4f 61 2f 77 38 58 41 6d 55 4c 35 35 4e 47 65 35 35 77 56 78 67 48 4c 51 44 67 34 33 78 6d 75 71 6f 4c 2f 66 4d 46 54 41 76 77 73 53 57 35 44 36 58 31 69 76 61 64 41 45 58 33 66 0d 0a
                                                                                    Data Ascii: 403sSWFOa/w8XAmUL55NGe55wVxgHLQDg43xmuqoL/fMFTAvwsSW5D6X1ivadAEX3f
                                                                                    Feb 29, 2024 08:15:08.282315969 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:08:15:02
                                                                                    Start date:29/02/2024
                                                                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Users\user\Desktop\SecuriteInfo.com.FileRepPup.14593.15387.exe
                                                                                    Imagebase:0x830000
                                                                                    File size:7'030'672 bytes
                                                                                    MD5 hash:65C6C55FF7A297CB8038ED701D6CDEF1
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low
                                                                                    Has exited:false

                                                                                    Disassembly

                                                                                    No disassembly