Click to jump to signature section
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Avira: detected |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Avira: detection malicious, Label: TR/Bublik.vdmcq |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | ReversingLabs: Detection: 73% |
Source: Submited Sample | Integrated Neural Analysis Model: Matched 99.7% probability |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Joe Sandbox ML: detected |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Joe Sandbox ML: detected |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: | Binary string: Z:\Projects\Loader\Release\Loader.pdb source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292308298.0000000001630000.00000040.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292336763.000000000165E000.00000004.00000020.00020000.00000000.sdmp, hcbnaf.exe, hcbnaf.exe, 0000000A.00000002.1351512511.000000000097E000.00000004.00000020.00020000.00000000.sdmp, hcbnaf.exe, 0000000A.00000002.1351710808.0000000000A80000.00000040.00001000.00020000.00000000.sdmp |
Source: Traffic | Snort IDS: 2826825 ETPRO TROJAN DNS Query for known malicious URL thisaintpc .com 192.168.2.7:63921 -> 1.1.1.1:53 |
Source: unknown | DNS traffic detected: query: thisaintpc.com replaycode: Name error (3) |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Code function: 0_2_01631000 EntryPoint,GetModuleHandleW,ExitProcess,HeapCreate,HeapAlloc,HeapAlloc,HeapAlloc,GetModuleFileNameW,GetTempPathW,wsprintfW,CreateFileW,GetFileSize,lstrlenW,lstrlenW,RtlAllocateHeap,ReadFile,lstrcmpW,lstrlenW,CreateFileW,lstrlenW,WriteFile,CloseHandle,FindCloseChangeNotification,CloseHandle,GetTempPathW,ShellExecuteW,CloseHandle,DeleteFileW,InternetOpenW,InternetConnectW,HttpOpenRequestW,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,HttpQueryInfoW,HeapAlloc,InternetReadFile,CreateFileW,WriteFile,CloseHandle,GetCurrentDirectoryW,wsprintfW, | 0_2_01631000 |
Source: global traffic | DNS traffic detected: DNS query: thisaintpc.com |
Source: hcbnaf.exe, 0000000A.00000002.1351512511.00000000009C6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://thisaintpc.com/ |
Source: hcbnaf.exe, 0000000A.00000002.1351512511.00000000009C6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://thisaintpc.com/Y |
Source: hcbnaf.exe, 0000000A.00000002.1351512511.000000000097E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://thisaintpc.com/downloads/tehb.exe |
Source: hcbnaf.exe, 0000000A.00000002.1351512511.000000000097E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://thisaintpc.com/downloads/tehb.exew |
Source: hcbnaf.exe, 0000000A.00000002.1351512511.00000000009C6000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://thisaintpc.com/o |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Static PE information: section name: .k+g |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Static PE information: section name: .IQ" |
Source: hcbnaf.exe.0.dr | Static PE information: section name: .k+g |
Source: hcbnaf.exe.0.dr | Static PE information: section name: .IQ" |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Static PE information: Number of sections : 11 > 10 |
Source: hcbnaf.exe.0.dr | Static PE information: Number of sections : 11 > 10 |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine | Classification label: mal92.winEXE@3/1@1/0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | File created: C:\Users\user~1\AppData\Local\Temp\hcbnaf.exe | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | File read: C:\Users\user\Desktop\desktop.ini | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | ReversingLabs: Detection: 73% |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Jump to behavior |
Source: unknown | Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe" | |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Process created: C:\Users\user\AppData\Local\Temp\hcbnaf.exe "C:\Users\user~1\AppData\Local\Temp\hcbnaf.exe" | |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Process created: C:\Users\user\AppData\Local\Temp\hcbnaf.exe "C:\Users\user~1\AppData\Local\Temp\hcbnaf.exe" | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: windowscodecs.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: propsys.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: edputil.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: windows.staterepositoryps.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: appresolver.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: bcp47langs.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: slc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: sppc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: onecorecommonproxystub.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Section loaded: onecoreuapcommonproxystub.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: windowscodecs.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Static file information: File size 6920232 > 1048576 |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Static PE information: Raw size of .K0f is bigger than: 0x100000 < 0x695200 |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: | Binary string: Z:\Projects\Loader\Release\Loader.pdb source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292308298.0000000001630000.00000040.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292336763.000000000165E000.00000004.00000020.00020000.00000000.sdmp, hcbnaf.exe, hcbnaf.exe, 0000000A.00000002.1351512511.000000000097E000.00000004.00000020.00020000.00000000.sdmp, hcbnaf.exe, 0000000A.00000002.1351710808.0000000000A80000.00000040.00001000.00020000.00000000.sdmp |
Source: initial sample | Static PE information: section where entry point is pointing to: .K0f |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Static PE information: real checksum: 0x6a504a should be: 0x6a46b4 |
Source: hcbnaf.exe.0.dr | Static PE information: real checksum: 0x6a504a should be: 0x6a635f |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Static PE information: section name: .k+g |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Static PE information: section name: .4kl |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Static PE information: section name: .htext |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Static PE information: section name: .jhn |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Static PE information: section name: .IQ" |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Static PE information: section name: .K0f |
Source: hcbnaf.exe.0.dr | Static PE information: section name: .k+g |
Source: hcbnaf.exe.0.dr | Static PE information: section name: .4kl |
Source: hcbnaf.exe.0.dr | Static PE information: section name: .htext |
Source: hcbnaf.exe.0.dr | Static PE information: section name: .jhn |
Source: hcbnaf.exe.0.dr | Static PE information: section name: .IQ" |
Source: hcbnaf.exe.0.dr | Static PE information: section name: .K0f |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | File created: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Memory written: PID: 2408 base: FE0005 value: E9 8B 2F 78 76 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Memory written: PID: 2408 base: 77762F90 value: E9 7A D0 87 89 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Memory written: PID: 2408 base: FF0005 value: E9 2B BA 73 76 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Memory written: PID: 2408 base: 7772BA30 value: E9 DA 45 8C 89 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Memory written: PID: 2408 base: 1450008 value: E9 8B 8E 32 76 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Memory written: PID: 2408 base: 77778E90 value: E9 80 71 CD 89 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Memory written: PID: 2408 base: 1470005 value: E9 8B 4D 5C 74 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Memory written: PID: 2408 base: 75A34D90 value: E9 7A B2 A3 8B | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Memory written: PID: 2408 base: 1480005 value: E9 EB EB 5C 74 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Memory written: PID: 2408 base: 75A4EBF0 value: E9 1A 14 A3 8B | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Memory written: PID: 2408 base: 1490005 value: E9 8B 8A 14 75 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Memory written: PID: 2408 base: 765D8A90 value: E9 7A 75 EB 8A | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Memory written: PID: 2408 base: 14A0005 value: E9 2B 02 16 75 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Memory written: PID: 2408 base: 76600230 value: E9 DA FD E9 8A | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Memory written: PID: 7224 base: 8D0005 value: E9 8B 2F E9 76 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Memory written: PID: 7224 base: 77762F90 value: E9 7A D0 16 89 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Memory written: PID: 7224 base: 8E0005 value: E9 2B BA E4 76 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Memory written: PID: 7224 base: 7772BA30 value: E9 DA 45 1B 89 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Memory written: PID: 7224 base: 8F0008 value: E9 8B 8E E8 76 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Memory written: PID: 7224 base: 77778E90 value: E9 80 71 17 89 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Memory written: PID: 7224 base: 910005 value: E9 8B 4D 12 75 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Memory written: PID: 7224 base: 75A34D90 value: E9 7A B2 ED 8A | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Memory written: PID: 7224 base: 920005 value: E9 EB EB 12 75 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Memory written: PID: 7224 base: 75A4EBF0 value: E9 1A 14 ED 8A | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Memory written: PID: 7224 base: 930005 value: E9 8B 8A CA 75 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Memory written: PID: 7224 base: 765D8A90 value: E9 7A 75 35 8A | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Memory written: PID: 7224 base: 940005 value: E9 2B 02 CC 75 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Memory written: PID: 7224 base: 76600230 value: E9 DA FD 33 8A | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\hcbnaf.exe | Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess | graph_10-50 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess | graph_0-50 |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292336763.0000000001687000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*{ |
Source: hcbnaf.exe, 0000000A.00000002.1351512511.000000000097E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/ |
Source: SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe, 00000000.00000002.1292336763.0000000001687000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Process information queried: ProcessInformation | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoad3.28161.23146.13969.exe | Process created: C:\Users\user\AppData\Local\Temp\hcbnaf.exe "C:\Users\user~1\AppData\Local\Temp\hcbnaf.exe" | Jump to behavior |