Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe
Analysis ID: 1467835
MD5: 528b9a26fd19839aeba788171c568311
SHA1: 8276a9db275dccad133cc7d48cf0b8d97b91f1e2
SHA256: f84477a25b3fd48faf72484d4d9f86a4152b07baf5bc743656451fe36df2d482
Tags: exe
Infos:

Detection

Score: 28
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Drops PE files to the document folder of the user
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://srbija.livehockey.online Avira URL Cloud: Label: malware
Source: http://srbija.livehockey.online/evaluation/index.php?SudijaID= Avira URL Cloud: Label: malware
Source: http://srbija.livehockey.online/OnlineRegistration/ Avira URL Cloud: Label: malware
Source: http://kuwait.livehockey.online/evaluation/index.php?SudijaID=openU Avira URL Cloud: Label: malware
Source: http://srbija.livehockey.online/evaluation/i Avira URL Cloud: Label: malware
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp, 00000001.00000003.2356109417.000000000661E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_1c69ca6e-e
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Iskljucivo pravo licence za ovaj program imaSavez Hokeja na Ledu SrbijeSva prava su zasticenaI &accept the agreementI &do not accept the agreement&Next >Cancel
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Iskljucivo pravo licence za ovaj program imaSavez Hokeja na Ledu SrbijeSva prava su zasticenaI &accept the agreementI &do not accept the agreement&Next >Cancel
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Iskljucivo pravo licence za ovaj program imaSavez Hokeja na Ledu SrbijeSva prava su zasticenaI &accept the agreementI &do not accept the agreement&Next >Cancel
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2q-x32\out32dll\ssleay32.pdb source: ssleay32.dll.8.dr

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 93.188.1.110 ports 51819,49489,1,2,60005,54622,52337,50269,21
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49713 -> 93.188.1.110:60005
Source: global traffic TCP traffic: 192.168.2.5:49718 -> 93.188.1.8:3306
Source: global traffic TCP traffic: 192.168.2.5:49719 -> 79.101.0.33:3306
Source: global traffic TCP traffic: 192.168.2.5:49731 -> 93.188.1.5:3306
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 93.188.2.53 93.188.2.53
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LOOPIASE LOOPIASE
Uses FTP
Source: unknown FTP traffic detected: 93.188.1.110:21 -> 192.168.2.5:49712 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 178 of 600 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 178 of 600 allowed.220-Local time is now 20:28. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 178 of 600 allowed.220-Local time is now 20:28. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 178 of 600 allowed.220-Local time is now 20:28. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 178 of 600 allowed.220-Local time is now 20:28. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /CheckNET.php HTTP/1.1Host: www.srbreferee.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: unknown TCP traffic detected without corresponding DNS query: 79.101.0.33
Source: unknown TCP traffic detected without corresponding DNS query: 79.101.0.33
Source: unknown TCP traffic detected without corresponding DNS query: 79.101.0.33
Source: unknown TCP traffic detected without corresponding DNS query: 79.101.0.33
Source: unknown TCP traffic detected without corresponding DNS query: 79.101.0.33
Source: unknown TCP traffic detected without corresponding DNS query: 79.101.0.33
Source: unknown TCP traffic detected without corresponding DNS query: 79.101.0.33
Source: unknown TCP traffic detected without corresponding DNS query: 79.101.0.33
Source: unknown TCP traffic detected without corresponding DNS query: 79.101.0.33
Source: unknown TCP traffic detected without corresponding DNS query: 79.101.0.33
Source: unknown TCP traffic detected without corresponding DNS query: 79.101.0.33
Source: unknown TCP traffic detected without corresponding DNS query: 79.101.0.33
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /CheckNET.php HTTP/1.1Host: www.srbreferee.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic DNS traffic detected: DNS query: www.srbreferee.com
Source: global traffic DNS traffic detected: DNS query: ftpcluster.loopia.se
Source: global traffic DNS traffic detected: DNS query: mysql682.loopia.se
Source: global traffic DNS traffic detected: DNS query: mysql679.loopia.se
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp, 00000001.00000003.2356109417.000000000655B000.00000004.00001000.00020000.00000000.sdmp, Hokej.exe, 00000004.00000000.2354149158.0000000000D85000.00000002.00000001.01000000.00000008.sdmp, Hokej.exe, 00000008.00000000.2620228766.0000000001988000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://fast-report.com)
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp, 00000001.00000003.2356109417.00000000062F0000.00000004.00001000.00020000.00000000.sdmp, Hokej.exe, 00000004.00000000.2350379237.000000000041D000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://kuwait.livehockey.online/evaluation/index.php?SudijaID=openU
Source: Hokej.exe, 00000008.00000002.3233248800.0000000003E6B000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://srbija.livehockey.online
Source: Hokej.exe, 00000008.00000002.3233248800.0000000003D90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://srbija.livehockey.online/OnlineRegistration/
Source: Hokej.exe, 00000008.00000002.3233248800.0000000003E6B000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://srbija.livehockey.online/evaluation/i
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp, 00000001.00000003.2356109417.00000000062F0000.00000004.00001000.00020000.00000000.sdmp, Hokej.exe, 00000004.00000000.2350379237.000000000041D000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://srbija.livehockey.online/evaluation/index.php?SudijaID=
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp, 00000001.00000003.2356109417.000000000655B000.00000004.00001000.00020000.00000000.sdmp, Hokej.exe, 00000004.00000000.2354149158.0000000000D85000.00000002.00000001.01000000.00000008.sdmp, Hokej.exe, 00000008.00000000.2620228766.0000000001988000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: Hokej.exe, 00000008.00000000.2620228766.0000000001988000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp, 00000001.00000003.2356109417.000000000655B000.00000004.00001000.00020000.00000000.sdmp, Hokej.exe, 00000004.00000000.2354149158.0000000000D85000.00000002.00000001.01000000.00000008.sdmp, Hokej.exe, 00000008.00000000.2620228766.0000000001988000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp, 00000001.00000003.2356109417.000000000655B000.00000004.00001000.00020000.00000000.sdmp, Hokej.exe, 00000004.00000000.2354149158.0000000000D85000.00000002.00000001.01000000.00000008.sdmp, Hokej.exe, 00000008.00000000.2620228766.0000000001988000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: Hokej.exe, 00000008.00000000.2604593040.0000000000DD1000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.fast-report.com
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp, 00000001.00000003.2356109417.00000000062F0000.00000004.00001000.00020000.00000000.sdmp, Hokej.exe, 00000004.00000000.2350379237.000000000041D000.00000020.00000001.01000000.00000008.sdmp, Hokej.exe, 00000004.00000003.2838713441.0000000002CAD000.00000004.00001000.00020000.00000000.sdmp, Hokej.exe, 00000008.00000000.2604593040.00000000017D1000.00000020.00000001.01000000.00000008.sdmp, Hokej.exe, 00000008.00000002.3233248800.0000000003E0C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.indyproject.org/
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe, 00000000.00000003.1992471198.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe, 00000000.00000003.1992791644.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp, 00000001.00000000.1993903158.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp.0.dr, is-II59A.tmp.1.dr String found in binary or memory: http://www.innosetup.com/
Source: ssleay32.dll.8.dr String found in binary or memory: http://www.openssl.org/V
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe, 00000000.00000003.1992471198.00000000025C0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe, 00000000.00000003.1992791644.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp, 00000001.00000000.1993903158.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp.0.dr, is-II59A.tmp.1.dr String found in binary or memory: http://www.remobjects.com/ps
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp, 00000001.00000003.2356109417.000000000661E000.00000004.00001000.00020000.00000000.sdmp, Hokej.exe, 00000004.00000000.2350379237.000000000041D000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.srbreferee.com/CheckNET.php
Source: Hokej.exe, 00000008.00000000.2620228766.0000000001C6A000.00000002.00000001.01000000.00000008.sdmp, Hokej.exe, 00000008.00000002.3233248800.0000000003E2D000.00000004.00001000.00020000.00000000.sdmp, Hokej.exe, 00000008.00000000.2620228766.0000000001988000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.url.com):
Source: Hokej.exe, 00000008.00000002.3233248800.0000000003E54000.00000004.00001000.00020000.00000000.sdmp, Hokej.exe, 00000008.00000000.2620228766.0000000001988000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
Source: Hokej.exe, 00000008.00000000.2620228766.0000000001988000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/oauth2.html
Source: Hokej.exe, 00000008.00000002.3233248800.0000000003E6B000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/oauth2.htmltml
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Hokej.exe, 00000008.00000000.2620228766.0000000001988000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: https://oauth.yandex.com/
Source: Hokej.exe, 00000008.00000002.3233248800.0000000003E6B000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://oauth.yandex.com/03
One or more processes crash
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1444
PE file contains executable resources (Code or Archives)
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-II59A.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
PE file contains more sections than normal
Source: is-M013U.tmp.1.dr Static PE information: Number of sections : 11 > 10
Source: Hokej.exe.4.dr Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe, 00000000.00000003.1992471198.00000000025C0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe, 00000000.00000000.1991001894.00000000004C6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe, 00000000.00000003.1992791644.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe, 00000000.00000003.2368814903.0000000002328000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: sus28.troj.winEXE@8/18@5/5
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp File created: C:\Program Files (x86)\Serbia Ice Hockey DB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4612
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe File created: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: Hokej.exe, 00000004.00000003.2838713441.0000000002D28000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT * FROM Liga ORDER BY Id;A
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp, 00000001.00000003.2356109417.00000000065C7000.00000004.00001000.00020000.00000000.sdmp, Hokej.exe, 00000004.00000003.2838713441.0000000002D28000.00000004.00001000.00020000.00000000.sdmp, Hokej.exe, 00000004.00000000.2354149158.0000000000EF9000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: SELECT * FROM Liga ORDER BY Id;
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Process created: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp "C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp" /SL5="$20426,3939740,937984,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe"
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Process created: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe "C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe"
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process created: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe "C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe"
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1444
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Process created: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp "C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp" /SL5="$20426,3939740,937984,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Process created: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe "C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe" Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process created: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe "C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: msftedit.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: globinputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: windows.ui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: inputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: security.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: idndl.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: duser.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: slc.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: security.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: idndl.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: Serbia Ice Hockey DB.lnk.1.dr LNK file: ..\..\..\..\..\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Window found: window name: TMainForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Iskljucivo pravo licence za ovaj program imaSavez Hokeja na Ledu SrbijeSva prava su zasticenaI &accept the agreementI &do not accept the agreement&Next >Cancel
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Iskljucivo pravo licence za ovaj program imaSavez Hokeja na Ledu SrbijeSva prava su zasticenaI &accept the agreementI &do not accept the agreement&Next >Cancel
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Iskljucivo pravo licence za ovaj program imaSavez Hokeja na Ledu SrbijeSva prava su zasticenaI &accept the agreementI &do not accept the agreement&Next >Cancel
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Window detected: Number of UI elements: 35
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Static file information: File size 4680932 > 1048576
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2q-x32\out32dll\ssleay32.pdb source: ssleay32.dll.8.dr
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Static PE information: section name: .didata
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp.0.dr Static PE information: section name: .didata
Source: is-II59A.tmp.1.dr Static PE information: section name: .didata
Source: is-M013U.tmp.1.dr Static PE information: section name: .didata
Source: Hokej.exe.4.dr Static PE information: section name: .didata

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe File created: C:\Users\user\Documents\Zapisnik_ONLine\libeay32.dll Jump to dropped file
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe File created: C:\Users\user\Documents\Zapisnik_ONLine\ssleay32.dll Jump to dropped file
Drops PE files
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe File created: C:\Users\user\Documents\Zapisnik_ONLine\libeay32.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp File created: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe (copy)
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp File created: C:\Program Files (x86)\Serbia Ice Hockey DB\is-M013U.tmp Jump to dropped file
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe File created: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp File created: C:\Program Files (x86)\Serbia Ice Hockey DB\unins000.exe (copy) Jump to dropped file
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe File created: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.bak (copy) Jump to dropped file
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe File created: C:\Users\user\Documents\Zapisnik_ONLine\ssleay32.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe File created: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp File created: C:\Users\user\AppData\Local\Temp\is-1DQS7.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp File created: C:\Program Files (x86)\Serbia Ice Hockey DB\is-II59A.tmp Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Serbia Ice Hockey DB.lnk Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Dropped PE file which has not been started: C:\Users\user\Documents\Zapisnik_ONLine\libeay32.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Serbia Ice Hockey DB\unins000.exe (copy) Jump to dropped file
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Dropped PE file which has not been started: C:\Users\user\Documents\Zapisnik_ONLine\ssleay32.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1DQS7.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Serbia Ice Hockey DB\is-II59A.tmp Jump to dropped file
Queries keyboard layouts
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809 Jump to behavior
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000809 Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp, 00000001.00000003.2364512557.00000000009D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\xz}
Source: Hokej.exe, 00000004.00000003.2810342057.00000000012CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp, 00000001.00000003.2364512557.00000000009D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}E{
Source: Hokej.exe, 00000004.00000003.2814211104.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, Hokej.exe, 00000004.00000003.2810342057.00000000012CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: Hokej.exe, 00000008.00000002.3231329835.00000000021CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process queried: DebugPort Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe Process created: C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe "C:\Program Files (x86)\Serbia Ice Hockey DB\Hokej.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\is-5F45V.tmp\SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467835 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 04/07/2024 Architecture: WINDOWS Score: 28 43 ftpcluster.loopia.se 2->43 45 www.srbreferee.com 2->45 47 4 other IPs or domains 2->47 59 Antivirus detection for URL or domain 2->59 61 Drops PE files to the document folder of the user 2->61 63 Connects to many ports of the same IP (likely port scanning) 2->63 9 SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.exe 2 2->9         started        signatures3 process4 file5 33 SecuriteInfo.com.T...276.19236.26672.tmp, PE32 9->33 dropped 12 SecuriteInfo.com.Trojan.GenericKD.72873276.19236.26672.tmp 26 18 9->12         started        process6 file7 35 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->35 dropped 37 C:\...\unins000.exe (copy), PE32 12->37 dropped 39 C:\Program Files (x86)\...\is-M013U.tmp, PE32 12->39 dropped 41 C:\Program Files (x86)\...\is-II59A.tmp, PE32 12->41 dropped 15 Hokej.exe 4 12->15         started        process8 dnsIp9 53 ftpcluster.loopia.se 93.188.1.110, 21, 49712, 49713 LOOPIASE Sweden 15->53 55 79.101.0.33 TELEKOM-ASRS Serbia 15->55 57 www.srbreferee.com 93.188.2.53, 49711, 80 LOOPIASE Sweden 15->57 25 C:\Program Files (x86)\...\Hokej.exe, PE32 15->25 dropped 27 C:\Program Files (x86)\...\Hokej.bak (copy), PE32 15->27 dropped 19 Hokej.exe 1 2 15->19         started        23 WerFault.exe 19 16 15->23         started        file10 process11 dnsIp12 49 s679.loopia.se 93.188.1.5 LOOPIASE Sweden 19->49 51 s682.loopia.se 93.188.1.8 LOOPIASE Sweden 19->51 29 C:\Users\user\Documents\...\ssleay32.dll, PE32 19->29 dropped 31 C:\Users\user\Documents\...\libeay32.dll, PE32 19->31 dropped file13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
93.188.2.53
 www.srbreferee.com Sweden
39570 LOOPIASE false
93.188.1.8
 s682.loopia.se Sweden
39570 LOOPIASE false
93.188.1.5
 s679.loopia.se Sweden
39570 LOOPIASE false
93.188.1.110
 ftpcluster.loopia.se Sweden
39570 LOOPIASE true
79.101.0.33
 unknown Serbia
8400 TELEKOM-ASRS false

Contacted Domains

Name IP Active
ftpcluster.loopia.se 93.188.1.110 true
s682.loopia.se 93.188.1.8 true
www.srbreferee.com 93.188.2.53 true
s679.loopia.se 93.188.1.5 true
mysql679.loopia.se unknown unknown
mysql682.loopia.se unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.srbreferee.com/CheckNET.php false
  • Avira URL Cloud: safe
 unknown