Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Avira: detected |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Avira: detection malicious, Label: TR/Bublik.vdmcq |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
ReversingLabs: Detection: 73% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.7% probability |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Joe Sandbox ML: detected |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Joe Sandbox ML: detected |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: Z:\Projects\Loader\Release\Loader.pdb source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292308298.0000000001630000.00000040.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292336763.000000000165E000.00000004.00000020.00020000.00000000.sdmp, hcbnaf.exe, hcbnaf.exe, 0000000A.00000002.1351512511.000000000097E000.00000004.00000020.00020000.00000000.sdmp, hcbnaf.exe, 0000000A.00000002.1351710808.0000000000A80000.00000040.00001000.00020000.00000000.sdmp |
Source: Traffic |
Snort IDS: 2826825 ETPRO TROJAN DNS Query for known malicious URL thisaintpc .com 192.168.2.7:63921 -> 1.1.1.1:53 |
Source: unknown |
DNS traffic detected: query: thisaintpc.com replaycode: Name error (3) |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Code function: 0_2_01631000 EntryPoint,GetModuleHandleW,ExitProcess,HeapCreate,HeapAlloc,HeapAlloc,HeapAlloc,GetModuleFileNameW,GetTempPathW,wsprintfW,CreateFileW,GetFileSize,lstrlenW,lstrlenW,RtlAllocateHeap,ReadFile,lstrcmpW,lstrlenW,CreateFileW,lstrlenW,WriteFile,CloseHandle,FindCloseChangeNotification,CloseHandle,GetTempPathW,ShellExecuteW,CloseHandle,DeleteFileW,InternetOpenW,InternetConnectW,HttpOpenRequestW,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,HttpQueryInfoW,HeapAlloc,InternetReadFile,CreateFileW,WriteFile,CloseHandle,GetCurrentDirectoryW,wsprintfW, |
0_2_01631000 |
Source: global traffic |
DNS traffic detected: DNS query: thisaintpc.com |
Source: hcbnaf.exe, 0000000A.00000002.1351512511.00000000009C6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://thisaintpc.com/ |
Source: hcbnaf.exe, 0000000A.00000002.1351512511.00000000009C6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://thisaintpc.com/Y |
Source: hcbnaf.exe, 0000000A.00000002.1351512511.000000000097E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://thisaintpc.com/downloads/tehb.exe |
Source: hcbnaf.exe, 0000000A.00000002.1351512511.000000000097E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://thisaintpc.com/downloads/tehb.exew |
Source: hcbnaf.exe, 0000000A.00000002.1351512511.00000000009C6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://thisaintpc.com/o |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Static PE information: section name: .k+g |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Static PE information: section name: .IQ" |
Source: hcbnaf.exe.0.dr |
Static PE information: section name: .k+g |
Source: hcbnaf.exe.0.dr |
Static PE information: section name: .IQ" |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Static PE information: Number of sections : 11 > 10 |
Source: hcbnaf.exe.0.dr |
Static PE information: Number of sections : 11 > 10 |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal92.winEXE@3/1@1/0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
File created: C:\Users\user~1\AppData\Local\Temp\hcbnaf.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
File read: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
ReversingLabs: Detection: 73% |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe" |
|
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Process created: C:\Users\user\AppData\Local\Temp\hcbnaf.exe "C:\Users\user~1\AppData\Local\Temp\hcbnaf.exe" |
|
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Process created: C:\Users\user\AppData\Local\Temp\hcbnaf.exe "C:\Users\user~1\AppData\Local\Temp\hcbnaf.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Static file information: File size 6920232 > 1048576 |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Static PE information: Raw size of .K0f is bigger than: 0x100000 < 0x695200 |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: Z:\Projects\Loader\Release\Loader.pdb source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292308298.0000000001630000.00000040.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292336763.000000000165E000.00000004.00000020.00020000.00000000.sdmp, hcbnaf.exe, hcbnaf.exe, 0000000A.00000002.1351512511.000000000097E000.00000004.00000020.00020000.00000000.sdmp, hcbnaf.exe, 0000000A.00000002.1351710808.0000000000A80000.00000040.00001000.00020000.00000000.sdmp |
Source: initial sample |
Static PE information: section where entry point is pointing to: .K0f |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Static PE information: real checksum: 0x6a504a should be: 0x6a46b4 |
Source: hcbnaf.exe.0.dr |
Static PE information: real checksum: 0x6a504a should be: 0x6a635f |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Static PE information: section name: .k+g |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Static PE information: section name: .4kl |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Static PE information: section name: .htext |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Static PE information: section name: .jhn |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Static PE information: section name: .IQ" |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Static PE information: section name: .K0f |
Source: hcbnaf.exe.0.dr |
Static PE information: section name: .k+g |
Source: hcbnaf.exe.0.dr |
Static PE information: section name: .4kl |
Source: hcbnaf.exe.0.dr |
Static PE information: section name: .htext |
Source: hcbnaf.exe.0.dr |
Static PE information: section name: .jhn |
Source: hcbnaf.exe.0.dr |
Static PE information: section name: .IQ" |
Source: hcbnaf.exe.0.dr |
Static PE information: section name: .K0f |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
File created: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Memory written: PID: 2408 base: FE0005 value: E9 8B 2F 78 76 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Memory written: PID: 2408 base: 77762F90 value: E9 7A D0 87 89 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Memory written: PID: 2408 base: FF0005 value: E9 2B BA 73 76 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Memory written: PID: 2408 base: 7772BA30 value: E9 DA 45 8C 89 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Memory written: PID: 2408 base: 1450008 value: E9 8B 8E 32 76 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Memory written: PID: 2408 base: 77778E90 value: E9 80 71 CD 89 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Memory written: PID: 2408 base: 1470005 value: E9 8B 4D 5C 74 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Memory written: PID: 2408 base: 75A34D90 value: E9 7A B2 A3 8B |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Memory written: PID: 2408 base: 1480005 value: E9 EB EB 5C 74 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Memory written: PID: 2408 base: 75A4EBF0 value: E9 1A 14 A3 8B |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Memory written: PID: 2408 base: 1490005 value: E9 8B 8A 14 75 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Memory written: PID: 2408 base: 765D8A90 value: E9 7A 75 EB 8A |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Memory written: PID: 2408 base: 14A0005 value: E9 2B 02 16 75 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Memory written: PID: 2408 base: 76600230 value: E9 DA FD E9 8A |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Memory written: PID: 7224 base: 8D0005 value: E9 8B 2F E9 76 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Memory written: PID: 7224 base: 77762F90 value: E9 7A D0 16 89 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Memory written: PID: 7224 base: 8E0005 value: E9 2B BA E4 76 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Memory written: PID: 7224 base: 7772BA30 value: E9 DA 45 1B 89 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Memory written: PID: 7224 base: 8F0008 value: E9 8B 8E E8 76 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Memory written: PID: 7224 base: 77778E90 value: E9 80 71 17 89 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Memory written: PID: 7224 base: 910005 value: E9 8B 4D 12 75 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Memory written: PID: 7224 base: 75A34D90 value: E9 7A B2 ED 8A |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Memory written: PID: 7224 base: 920005 value: E9 EB EB 12 75 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Memory written: PID: 7224 base: 75A4EBF0 value: E9 1A 14 ED 8A |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Memory written: PID: 7224 base: 930005 value: E9 8B 8A CA 75 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Memory written: PID: 7224 base: 765D8A90 value: E9 7A 75 35 8A |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Memory written: PID: 7224 base: 940005 value: E9 2B 02 CC 75 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Memory written: PID: 7224 base: 76600230 value: E9 DA FD 33 8A |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292336763.0000000001687000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*{ |
Source: hcbnaf.exe, 0000000A.00000002.1351512511.000000000097E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/ |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292336763.0000000001687000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe |
Process created: C:\Users\user\AppData\Local\Temp\hcbnaf.exe "C:\Users\user~1\AppData\Local\Temp\hcbnaf.exe" |
Jump to behavior |