Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Analysis ID:	1447355
MD5:	786db86691e817294e52423089162e44
SHA1:	3d61074a52365b907591d5590a622a3a4ef10c8a
SHA256:	69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
Tags:	exe
Infos:

Detection

Score:	51
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

AI detected suspicious sample

Tries to detect virtualization through RDTSC time measurements

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_6E153670 CryptQueryObject,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,CryptMsgGetParam,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,LocalAlloc,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,CryptMsgGetParam,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,	0_2_6E153670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_6E153470 lstrcmpA,CryptDecodeObject,CertFreeCertificateContext,LocalAlloc,CertFreeCertificateContext,CryptDecodeObject,CertFreeCertificateContext,CertFreeCertificateContext,	0_2_6E153470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_6E153499 lstrcmpA,CryptDecodeObject,CertFreeCertificateContext,	0_2_6E153499

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Zortos\Documents\source\repos\CFUnzipper\CFUnzipper\obj\Release\ZortosUnzipper.pdb source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source:	Binary string: /home/runner/work/sharpcompress/sharpcompress/src/SharpCompress/obj/Release/netstandard2.0/SharpCompress.pdbSHA256 source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /home/runner/work/sharpcompress/sharpcompress/src/SharpCompress/obj/Release/netstandard2.0/SharpCompress.pdb source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: clrjit.pdb source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4436676433.0000000005160000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4438182838.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|52414EC411DEA325110F0AD21378C8D101897989\|2544 source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source:	Binary string: costura.costura.pdb.compressed source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source:	Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4440772522.000000006E163000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr

Networking

Yara detected Generic Downloader

Source: Yara match

File source: 0.2.SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe.37a2580.6.raw.unpack, type: UNPACKEDPE

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/adamhathcock/sharpcompress
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime/issues/24271YFailed

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_0263DC2C	0_2_0263DC2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_0634A340	0_2_0634A340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_078CEFC0	0_2_078CEFC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_078C356C	0_2_078C356C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_078C4A63	0_2_078C4A63
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_07912408	0_2_07912408
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_0796BD00	0_2_0796BD00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_07960040	0_2_07960040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_0796F259	0_2_0796F259
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_07A135D0	0_2_07A135D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_07A13592	0_2_07A13592
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_0833F943	0_2_0833F943

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4440851880.000000006E169000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.00000000037A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSharpCompress.dll< vs SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4429870159.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000000.1969906724.0000000000388000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameZortosUnzipper.exe6 vs SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSharpCompress.dll< vs SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Binary or memory string: OriginalFilenameZortosUnzipper.exe6 vs SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe.37a2580.6.raw.unpack, AesDecoderStream.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe.37a2580.6.raw.unpack, AesDecoderStream.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe.37a2580.6.raw.unpack, WinzipAesCryptoStream.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: classification engine

Classification label: mal51.troj.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

File created: C:\Users\user\AppData\Local\Temp\ZortosUnzipper

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static file information: File size 2181120 > 1048576

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1f4200

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Zortos\Documents\source\repos\CFUnzipper\CFUnzipper\obj\Release\ZortosUnzipper.pdb source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source:	Binary string: /home/runner/work/sharpcompress/sharpcompress/src/SharpCompress/obj/Release/netstandard2.0/SharpCompress.pdbSHA256 source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /home/runner/work/sharpcompress/sharpcompress/src/SharpCompress/obj/Release/netstandard2.0/SharpCompress.pdb source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: clrjit.pdb source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4436676433.0000000005160000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4438182838.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|52414EC411DEA325110F0AD21378C8D101897989\|2544 source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source:	Binary string: costura.costura.pdb.compressed source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source:	Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4440772522.000000006E163000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, AssemblyLoader.cs

.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1969730710.0000000000192000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4431341655.0000000002651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe PID: 5460, type: MEMORYSTR

Binary contains a suspicious time stamp

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: 0xB266165F [Tue Nov 4 14:34:07 2064 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Code function: 0_2_6E15A090 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,VerQueryValueA,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree,

0_2_6E15A090

PE file contains sections with non-standard names

Source: GunaUIDotNetRT.dll.0.dr	Static PE information: section name: .didat
Source: GunaUIDotNetRT.dll.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_0263F0D2 push esp; iretd	0_2_0263F0D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_06346B6D pushad ; iretd	0_2_06346B81
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_06346B82 pushad ; iretd	0_2_06346B81
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_078672B3 push esp; iretd	0_2_078672B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_07869A3B push 400779DBh; retf	0_2_07869A45
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_078AC7E2 push es; ret	0_2_078AC7ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_078AB610 pushfd ; ret	0_2_078AB61D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_078ABE33 pushad ; ret	0_2_078ABE3D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_07A19FAA pushfd ; ret	0_2_07A19FB1

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: section name: .text entropy: 7.781616525832242

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

File created: C:\Users\user\AppData\Local\Temp\21130707-67bd-4fd2-91d2-b9f759127e7b\GunaUIDotNetRT.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

RDTSC instruction interceptor: First address: 6E151D36 second address: 6E152A87 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [6E1653C0h], eax 0x00000020 mov dword ptr [6E1653C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007FAB34C7041Bh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007FAB34C70456h 0x00000037 rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Memory allocated: 25F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Memory allocated: 2650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Memory allocated: 4650000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Code function: 0_2_6E152A40 rdtsc

0_2_6E152A40

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Window / User API: threadDelayed 1826			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Window / User API: threadDelayed 8076			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\21130707-67bd-4fd2-91d2-b9f759127e7b\GunaUIDotNetRT.dll

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe TID: 3276	Thread sleep time: -182600s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe TID: 3276	Thread sleep time: -807600s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Code function: 0_2_6E160CF3 VirtualQuery,GetSystemInfo,

0_2_6E160CF3

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Code function: 0_2_6E152A40 rdtsc

0_2_6E152A40

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Code function: 0_2_07779D20 LdrInitializeThunk,

0_2_07779D20

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

0_2_6E15A090

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Code function: 0_2_6E157AB0 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapAlloc,VirtualProtect,VirtualProtect,

0_2_6E157AB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Code function: 0_2_6E15B100 GetTempPathA,GetSystemTime,GetDateFormatA,GetTimeFormatA,CreateFileA,GetProcessHeap,HeapAlloc,InitializeCriticalSection,

0_2_6E15B100

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Code function: 0_2_6E1525C0 GetVersionExW,

0_2_6E1525C0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_6E153670 CryptQueryObject,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,CryptMsgGetParam,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,LocalAlloc,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,CryptMsgGetParam,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,	0_2_6E153670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_6E153470 lstrcmpA,CryptDecodeObject,CertFreeCertificateContext,LocalAlloc,CertFreeCertificateContext,CryptDecodeObject,CertFreeCertificateContext,CertFreeCertificateContext,	0_2_6E153470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_6E153499 lstrcmpA,CryptDecodeObject,CertFreeCertificateContext,	0_2_6E153499

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Zortos\Documents\source\repos\CFUnzipper\CFUnzipper\obj\Release\ZortosUnzipper.pdb source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source:	Binary string: /home/runner/work/sharpcompress/sharpcompress/src/SharpCompress/obj/Release/netstandard2.0/SharpCompress.pdbSHA256 source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /home/runner/work/sharpcompress/sharpcompress/src/SharpCompress/obj/Release/netstandard2.0/SharpCompress.pdb source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: clrjit.pdb source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4436676433.0000000005160000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4438182838.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|52414EC411DEA325110F0AD21378C8D101897989\|2544 source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source:	Binary string: costura.costura.pdb.compressed source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source:	Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4440772522.000000006E163000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr

Networking

Yara detected Generic Downloader

Source: Yara match

File source: 0.2.SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe.37a2580.6.raw.unpack, type: UNPACKEDPE

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/adamhathcock/sharpcompress
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime/issues/24271YFailed

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_0263DC2C	0_2_0263DC2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_0634A340	0_2_0634A340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_078CEFC0	0_2_078CEFC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_078C356C	0_2_078C356C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_078C4A63	0_2_078C4A63
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_07912408	0_2_07912408
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_0796BD00	0_2_0796BD00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_07960040	0_2_07960040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_0796F259	0_2_0796F259
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_07A135D0	0_2_07A135D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_07A13592	0_2_07A13592
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_0833F943	0_2_0833F943

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4440851880.000000006E169000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.00000000037A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSharpCompress.dll< vs SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4429870159.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000000.1969906724.0000000000388000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameZortosUnzipper.exe6 vs SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSharpCompress.dll< vs SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Binary or memory string: OriginalFilenameZortosUnzipper.exe6 vs SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe.37a2580.6.raw.unpack, AesDecoderStream.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe.37a2580.6.raw.unpack, AesDecoderStream.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe.37a2580.6.raw.unpack, WinzipAesCryptoStream.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: classification engine

Classification label: mal51.troj.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

File created: C:\Users\user\AppData\Local\Temp\ZortosUnzipper

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Automated click: Extract

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static file information: File size 2181120 > 1048576

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1f4200

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Zortos\Documents\source\repos\CFUnzipper\CFUnzipper\obj\Release\ZortosUnzipper.pdb source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source:	Binary string: /home/runner/work/sharpcompress/sharpcompress/src/SharpCompress/obj/Release/netstandard2.0/SharpCompress.pdbSHA256 source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /home/runner/work/sharpcompress/sharpcompress/src/SharpCompress/obj/Release/netstandard2.0/SharpCompress.pdb source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.00000000037A2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: clrjit.pdb source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4436676433.0000000005160000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4438182838.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|52414EC411DEA325110F0AD21378C8D101897989\|2544 source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source:	Binary string: costura.costura.pdb.compressed source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Source:	Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003651000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4440772522.000000006E163000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, 00000000.00000002.4434321675.0000000003683000.00000004.00000800.00020000.00000000.sdmp, GunaUIDotNetRT.dll.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, AssemblyLoader.cs

.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1969730710.0000000000192000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4431341655.0000000002651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe PID: 5460, type: MEMORYSTR

Binary contains a suspicious time stamp

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: 0xB266165F [Tue Nov 4 14:34:07 2064 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

0_2_6E15A090

PE file contains sections with non-standard names

Source: GunaUIDotNetRT.dll.0.dr	Static PE information: section name: .didat
Source: GunaUIDotNetRT.dll.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_0263F0D2 push esp; iretd	0_2_0263F0D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_06346B6D pushad ; iretd	0_2_06346B81
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_06346B82 pushad ; iretd	0_2_06346B81
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_078672B3 push esp; iretd	0_2_078672B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_07869A3B push 400779DBh; retf	0_2_07869A45
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_078AC7E2 push es; ret	0_2_078AC7ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_078AB610 pushfd ; ret	0_2_078AB61D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_078ABE33 pushad ; ret	0_2_078ABE3D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Code function: 0_2_07A19FAA pushfd ; ret	0_2_07A19FB1

Source: SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Static PE information: section name: .text entropy: 7.781616525832242

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

File created: C:\Users\user\AppData\Local\Temp\21130707-67bd-4fd2-91d2-b9f759127e7b\GunaUIDotNetRT.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Memory allocated: 25F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Memory allocated: 2650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Memory allocated: 4650000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Code function: 0_2_6E152A40 rdtsc

0_2_6E152A40

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Window / User API: threadDelayed 1826			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Window / User API: threadDelayed 8076			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\21130707-67bd-4fd2-91d2-b9f759127e7b\GunaUIDotNetRT.dll

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe TID: 3276	Thread sleep time: -182600s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe TID: 3276	Thread sleep time: -807600s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Code function: 0_2_6E160CF3 VirtualQuery,GetSystemInfo,

0_2_6E160CF3

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Code function: 0_2_6E152A40 rdtsc

0_2_6E152A40

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Code function: 0_2_07779D20 LdrInitializeThunk,

0_2_07779D20

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

0_2_6E15A090

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Code function: 0_2_6E157AB0 GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapAlloc,VirtualProtect,VirtualProtect,

0_2_6E157AB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Code function: 0_2_6E15B100 GetTempPathA,GetSystemTime,GetDateFormatA,GetTimeFormatA,CreateFileA,GetProcessHeap,HeapAlloc,InitializeCriticalSection,

0_2_6E15B100

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Code function: 0_2_6E1525C0 GetVersionExW,

0_2_6E1525C0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1447355
Product:	CloudBasic
Start time:	21:31:06
Start date:	24.05.2024
Sample:	SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	786db86691e817294e52423089162e44
SHA1:	3d61074a52365b907591d5590a622a3a4ef10c8a
SHA256:	69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.72211100.17568.13083.exe