Windows Analysis Report
SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe
Analysis ID:	1446236
MD5:	98cc7dd8eeeaf079b8e8f650d847525f
SHA1:	2f8bdb79155ce50f7b02209cd28f996fc9e62915
SHA256:	5b9cb6ebd3779665272eb9303004faf88f121cbe8f7e63c00a547e6d9ae13998
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contain functionality to detect virtual machines

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains an invalid checksum

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

ReversingLabs: Detection: 68%

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00425784 __ehhandler$?_Swap@?$_Func_class@X$$V@std@@IAEXAAV12@@Z,__EH_prolog3_GS,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,	0_2_00425784
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00425835 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CloseHandle,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,ReadFile,CryptHashData,ReadFile,CryptDestroyHash,CryptReleaseContext,CloseHandle,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,	0_2_00425835
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00425B69 __EH_prolog3_GS,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00425B69

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00426865 GetLogicalDriveStringsW,lstrlenW,QueryDosDeviceW,GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,

0_2_00426865

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00436131 __EH_prolog3,HttpOpenRequestW,GetLastError,HttpSendRequestW,GetLastError,InternetCloseHandle,InternetQueryOptionW,HttpQueryInfoA,WaitForSingleObject,HttpQueryInfoW,GetLastError,WriteFile,GetLastError,WaitForSingleObject,InternetReadFile,GetLastError,InternetCloseHandle,

0_2_00436131

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00418031	0_2_00418031
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_004120E0	0_2_004120E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0043C238	0_2_0043C238
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_004222C3	0_2_004222C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00420301	0_2_00420301
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00444440	0_2_00444440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0043B409	0_2_0043B409
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00421481	0_2_00421481
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0043259A	0_2_0043259A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0040F730	0_2_0040F730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0042B78D	0_2_0042B78D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00420845	0_2_00420845
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00426865	0_2_00426865
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0041D86A	0_2_0041D86A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0042EADB	0_2_0042EADB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0042CD5C	0_2_0042CD5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00420D89	0_2_00420D89
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00415E6E	0_2_00415E6E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00430E1A	0_2_00430E1A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00437E3B	0_2_00437E3B

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 00401916 appears 96 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 00410F30 appears 43 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 004126DD appears 87 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 00412746 appears 39 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 00415730 appears 45 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 004018B3 appears 58 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 00403C93 appears 48 times

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 488

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Binary string: kernel32.dllIsWow64Process\device\mupShell32.dllSHGetKnownFolderPath\Downloads\User Pinned\TaskBar\Microsoft\Internet Explorer\Quick LaunchProgramFilesDirSOFTWARE\Microsoft\Windows\CurrentVersion\cmd.exeComSpec" exit" & if not exist " & for /l %x in (1,1,60) do ping 127.0.0.1 -n 2 -w 500 & del /q /f "" /c taskkill /f /pid 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789abcdef0123456789abcdefhlPxjHRu9UWCOtTORdZ51F7RYWUCWy731OtU3OaRC1xO5rErBozbP4G2hNm67mUHhghf659f453e18e0508fd502a51ca0138091b7e80eSELECT * FROM WQLtruefalse

Source: classification engine

Classification label: mal56.evad.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00423319 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,

0_2_00423319

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00438D35 GetLogicalDriveStringsW,GetDriveTypeW,GetDiskFreeSpaceExW,

0_2_00438D35

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00426FD8 CreateToolhelp32Snapshot,_memset,Process32FirstW,GetLastError,CloseHandle,OpenProcess,GetProcessTimes,GetProcessImageFileNameW,CharLowerW,CloseHandle,CharLowerW,Process32NextW,GetLastError,CloseHandle,

0_2_00426FD8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00426181 CoInitializeEx,CoCreateInstance,CoSetProxyBlanket,VariantClear,

0_2_00426181

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3076

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\02a083e5-98b2-45c0-8703-1f8c164790f5

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Command line argument: :tmp		0_2_004351F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Command line argument: .tmp		0_2_004351F9

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

ReversingLabs: Detection: 68%

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: /launch_install?error=
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: /launch_install?name=
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: /launch_info
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: /launch_error?text=
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: ,products=closed/close_install?checks2,unchecked=products2=unchecked2=/unchecked_install?products=/unchecked_install?products2=/launch_infoinstaller not founderror opening file installer file #error getting length of installer binary fileerror reading installer binary filereaded 0 bytes from installer binary file:Zone.Identifierwatchstartparent=
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: /launch_error?text=&launch=&?launch=": url error in "torrentwhsciconSTATICIconopenBUTTON
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: $__HASHHASH$__MIXinstall=&hash=/touch_install?name=) (error=&md5=/launch_install?error=can't install success=/launch_install?name=&check=delay time=/delay?time=Wrong PE fileWrong PE signatureNot normal PE formaterror allocating virtual memoryerror creating executable heaperror allocating executable memoryunknown relocationcan't create thread

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 488

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Section loaded: umpdc.dll	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_004230F3 LoadLibraryW,GetProcAddress,

0_2_004230F3

PE file contains an invalid checksum

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Static PE information: real checksum: 0x60c79 should be: 0x60a47

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00415775 push ecx; ret		0_2_00415788
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_004127B5 push ecx; ret		0_2_004127C8

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: vmware qemu qemu

0_2_0043A8D8

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: GetCommandLineW,ExitProcess,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,_memset,CreatePipe,WriteFile,WriteFile,WriteFile,GetStdHandle,GetStdHandle,GetStdHandle,CreateProcessW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,_memset,GetStdHandle,GetStdHandle,GetStdHandle,CreateProcessW,CloseHandle,CloseHandle,CloseHandle,

0_2_0043545F

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

API coverage: 1.9 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00426865 GetLogicalDriveStringsW,lstrlenW,QueryDosDeviceW,GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,

0_2_00426865

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00438BF9 __ehhandler$?_Initialize@SchedulerPolicy@Concurrency@@AAEXIPAPAD@Z,__EH_prolog3,GetSystemInfo,CallNtPowerInformation,

0_2_00438BF9

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Binary or memory string: vmware
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Binary or memory string: nsystemFSOSantivirusantispywarefirewallbrowsersvideoregistryregistryFilegetLineisFileisDirisRegistryfileTimeisInstalledmemoryharddiskprocessorisAdminis64bitVMmanufacturerbaseBoarddiskDrivesfileAssocdisplayvirtDisplayNET:.win;sp;suite:;product:AntivirusProductAntiSpywareProductFirewallProducthttpSoftware\Clients\StartMenuInternetSoftware\Clients\StartMenuInternet\\shell\open\command \|nameWin32_VideoControllerROOT\CIMv2\/*\1SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayName\modelvirtualboxvmwareparallelsqemuwinevirtualWin32_ComputerSystemproductWin32_BaseBoardcaptionWin32_DiskDriveopenxSOFTWARE\Microsoft\NET Framework Setup\NDPVersionSOFTWARE\Microsoft\NET Framework Setup\NDP\error getting versionInstallversion not installedSPsp\Full\Clientmap/set<T> too longvector<T> too longinvalid map/set<T> iterator
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00411360 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00411360

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_004230F3 LoadLibraryW,GetProcAddress,

0_2_004230F3

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00428340 mov eax, dword ptr fs:[00000030h]	0_2_00428340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00428340 mov eax, dword ptr fs:[00000030h]	0_2_00428340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00429751 mov eax, dword ptr fs:[00000030h]	0_2_00429751
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00429751 mov eax, dword ptr fs:[00000030h]	0_2_00429751
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00429751 mov eax, dword ptr fs:[00000030h]	0_2_00429751

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0042C16E __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,SetErrorMode,SetUnhandledExceptionFilter,GetStdHandle,ReadFile,ReadFile,	0_2_0042C16E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00417277 SetUnhandledExceptionFilter,	0_2_00417277
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00411360 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00411360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0043259A GetTickCount,SetErrorMode,SetUnhandledExceptionFilter,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,CoInitializeEx,CreateEventW,CreateEventW,CreateEventW,CreateEventW,GdiplusStartup,IsUserAnAdmin,GetModuleHandleW,EnumResourceNamesW,GetFileSizeEx,CreateThread,InitCommonControlsEx,GetTickCount,MessageBoxW,WaitForSingleObject,ResetEvent,CreateThread,WaitForSingleObject,CloseHandle,GdiplusShutdown,EnterCriticalSection,EnterCriticalSection,SetEvent,LeaveCriticalSection,CloseHandle,GetCurrentThreadId,CreateThread,EnterCriticalSection,CreateThread,LeaveCriticalSection,GetTickCount,EnterCriticalSection,LeaveCriticalSection,GetTickCount,EnterCriticalSection,CreateThread,LeaveCriticalSection,SetEvent,CloseHandle,CloseHandle,KillTimer,KillTimer,KillTimer,WaitForMultipleObjects,WaitForSingleObject,CloseHandle,GdiplusShutdown,	0_2_0043259A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00429737 SetUnhandledExceptionFilter,ExitProcess,	0_2_00429737
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_004127E7 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004127E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00410F21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00410F21

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00422F0E cpuid

0_2_00422F0E

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: GetLocaleInfoA,

0_2_00419F6E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_004177B1 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_004177B1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_0043902A __EH_prolog3_GS,_memset,GetVersionExW,

0_2_0043902A

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

ReversingLabs: Detection: 68%

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00425784 __ehhandler$?_Swap@?$_Func_class@X$$V@std@@IAEXAAV12@@Z,__EH_prolog3_GS,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,	0_2_00425784
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00425835 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CloseHandle,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,ReadFile,CryptHashData,ReadFile,CryptDestroyHash,CryptReleaseContext,CloseHandle,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,	0_2_00425835
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00425B69 __EH_prolog3_GS,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_00425B69

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00426865 GetLogicalDriveStringsW,lstrlenW,QueryDosDeviceW,GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,

0_2_00426865

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

0_2_00436131

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00418031	0_2_00418031
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_004120E0	0_2_004120E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0043C238	0_2_0043C238
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_004222C3	0_2_004222C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00420301	0_2_00420301
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00444440	0_2_00444440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0043B409	0_2_0043B409
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00421481	0_2_00421481
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0043259A	0_2_0043259A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0040F730	0_2_0040F730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0042B78D	0_2_0042B78D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00420845	0_2_00420845
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00426865	0_2_00426865
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0041D86A	0_2_0041D86A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0042EADB	0_2_0042EADB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0042CD5C	0_2_0042CD5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00420D89	0_2_00420D89
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00415E6E	0_2_00415E6E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00430E1A	0_2_00430E1A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00437E3B	0_2_00437E3B

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 00401916 appears 96 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 00410F30 appears 43 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 004126DD appears 87 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 00412746 appears 39 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 00415730 appears 45 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 004018B3 appears 58 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: String function: 00403C93 appears 48 times

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 488

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Source: classification engine

Classification label: mal56.evad.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00423319 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,

0_2_00423319

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00438D35 GetLogicalDriveStringsW,GetDriveTypeW,GetDiskFreeSpaceExW,

0_2_00438D35

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

0_2_00426FD8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00426181 CoInitializeEx,CoCreateInstance,CoSetProxyBlanket,VariantClear,

0_2_00426181

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3076

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\02a083e5-98b2-45c0-8703-1f8c164790f5

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Command line argument: :tmp		0_2_004351F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Command line argument: .tmp		0_2_004351F9

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

ReversingLabs: Detection: 68%

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: /launch_install?error=
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: /launch_install?name=
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: /launch_info
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: /launch_error?text=
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: ,products=closed/close_install?checks2,unchecked=products2=unchecked2=/unchecked_install?products=/unchecked_install?products2=/launch_infoinstaller not founderror opening file installer file #error getting length of installer binary fileerror reading installer binary filereaded 0 bytes from installer binary file:Zone.Identifierwatchstartparent=
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: /launch_error?text=&launch=&?launch=": url error in "torrentwhsciconSTATICIconopenBUTTON
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	String found in binary or memory: $__HASHHASH$__MIXinstall=&hash=/touch_install?name=) (error=&md5=/launch_install?error=can't install success=/launch_install?name=&check=delay time=/delay?time=Wrong PE fileWrong PE signatureNot normal PE formaterror allocating virtual memoryerror creating executable heaperror allocating executable memoryunknown relocationcan't create thread

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 488

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Section loaded: umpdc.dll	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_004230F3 LoadLibraryW,GetProcAddress,

0_2_004230F3

PE file contains an invalid checksum

Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Static PE information: real checksum: 0x60c79 should be: 0x60a47

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00415775 push ecx; ret		0_2_00415788
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_004127B5 push ecx; ret		0_2_004127C8

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: vmware qemu qemu

0_2_0043A8D8

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

0_2_0043545F

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

API coverage: 1.9 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00426865 GetLogicalDriveStringsW,lstrlenW,QueryDosDeviceW,GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,

0_2_00426865

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00438BF9 __ehhandler$?_Initialize@SchedulerPolicy@Concurrency@@AAEXIPAPAD@Z,__EH_prolog3,GetSystemInfo,CallNtPowerInformation,

0_2_00438BF9

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Binary or memory string: vmware
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Binary or memory string: nsystemFSOSantivirusantispywarefirewallbrowsersvideoregistryregistryFilegetLineisFileisDirisRegistryfileTimeisInstalledmemoryharddiskprocessorisAdminis64bitVMmanufacturerbaseBoarddiskDrivesfileAssocdisplayvirtDisplayNET:.win;sp;suite:;product:AntivirusProductAntiSpywareProductFirewallProducthttpSoftware\Clients\StartMenuInternetSoftware\Clients\StartMenuInternet\\shell\open\command \|nameWin32_VideoControllerROOT\CIMv2\/*\1SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallDisplayName\modelvirtualboxvmwareparallelsqemuwinevirtualWin32_ComputerSystemproductWin32_BaseBoardcaptionWin32_DiskDriveopenxSOFTWARE\Microsoft\NET Framework Setup\NDPVersionSOFTWARE\Microsoft\NET Framework Setup\NDP\error getting versionInstallversion not installedSPsp\Full\Clientmap/set<T> too longvector<T> too longinvalid map/set<T> iterator
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00411360 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00411360

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_004230F3 LoadLibraryW,GetProcAddress,

0_2_004230F3

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00428340 mov eax, dword ptr fs:[00000030h]	0_2_00428340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00428340 mov eax, dword ptr fs:[00000030h]	0_2_00428340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00429751 mov eax, dword ptr fs:[00000030h]	0_2_00429751
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00429751 mov eax, dword ptr fs:[00000030h]	0_2_00429751
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00429751 mov eax, dword ptr fs:[00000030h]	0_2_00429751

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0042C16E __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,SetErrorMode,SetUnhandledExceptionFilter,GetStdHandle,ReadFile,ReadFile,	0_2_0042C16E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00417277 SetUnhandledExceptionFilter,	0_2_00417277
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00411360 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00411360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_0043259A GetTickCount,SetErrorMode,SetUnhandledExceptionFilter,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,CoInitializeEx,CreateEventW,CreateEventW,CreateEventW,CreateEventW,GdiplusStartup,IsUserAnAdmin,GetModuleHandleW,EnumResourceNamesW,GetFileSizeEx,CreateThread,InitCommonControlsEx,GetTickCount,MessageBoxW,WaitForSingleObject,ResetEvent,CreateThread,WaitForSingleObject,CloseHandle,GdiplusShutdown,EnterCriticalSection,EnterCriticalSection,SetEvent,LeaveCriticalSection,CloseHandle,GetCurrentThreadId,CreateThread,EnterCriticalSection,CreateThread,LeaveCriticalSection,GetTickCount,EnterCriticalSection,LeaveCriticalSection,GetTickCount,EnterCriticalSection,CreateThread,LeaveCriticalSection,SetEvent,CloseHandle,CloseHandle,KillTimer,KillTimer,KillTimer,WaitForMultipleObjects,WaitForSingleObject,CloseHandle,GdiplusShutdown,	0_2_0043259A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00429737 SetUnhandledExceptionFilter,ExitProcess,	0_2_00429737
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_004127E7 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004127E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe	Code function: 0_2_00410F21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00410F21

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_00422F0E cpuid

0_2_00422F0E

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: GetLocaleInfoA,

0_2_00419F6E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_004177B1 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_004177B1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Code function: 0_2_0043902A __EH_prolog3_GS,_memset,GetVersionExW,

0_2_0043902A

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

ID:	1446236
Product:	CloudBasic
Start time:	01:30:22
Start date:	23.05.2024
Sample:	SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	98cc7dd8eeeaf079b8e8f650d847525f
SHA1:	2f8bdb79155ce50f7b02209cd28f996fc9e62915
SHA256:	5b9cb6ebd3779665272eb9303004faf88f121cbe8f7e63c00a547e6d9ae13998
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_ec24384a58645712a8216dd34a3884cb9132512_265dce86_e1f415c1-83d4-44dc-a094-cc48ee5b9763\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	E04350460002F9A95B05460D96F89396	EFDC24F9BA1984EF7E1AB78B147DCBBA9D24A7AC	6014FD72A4B39B2CBD35B835B6D80D9EFDBEB2790790C3181BD0215F53B039A7
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAC8.tmp.dmp	Mini DuMP crash report, 14 streams, Wed May 22 23:31:38 2024, 0x1205a4 type	FCDDA76E63952B0929B45B75074B2DC2	17A010C01258CD8C461201C399507A10A31E44DF	AC9F7845F4CAD79E044D1DEBC0710F36CB272EC276A15E82FF81EE09CF8EFC08
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB46.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	D61319F39A438E354A3D3B4E44B2FC43	F3D7C72BC894FBF23A3766A81A870E797D1C9340	7E5C6C978A5C2F06332ADDFC919D10B3D49AB4500F3CA1BAAE501654A8307A68
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB95.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	75011462992D6AE1C8D921FE83EE0E30	0B065C2BD61E529861420FB5E27830B8BE5EBC2D	937170E934E2A747D096998041DB7D48603822CB19EC350279B62104742F04DA
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	65B443CF0677BB4FB47CC774C0322A74	A2F1A9D4DBE1BA80F19AFA2D16347410DCA54851	723F052BED1ED0A8AA5A2AC120525470314FA59192EFAC70F64D3241098CCFEF

Windows Analysis Report
SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Trojan.LoadMoney.1085.10205.7276.exe