Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe
Analysis ID:	1491076
MD5:	4416f8255a013037554c04aad7c0b2d3
SHA1:	4bd6f215328e380e305a3873298a07921893e18d
SHA256:	a798b5783271e848da0af7164c22bc048b122644d60257fbc146a8f98b3cc8b0
Tags:	exe
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Connects to a pastebin service (likely for C&C)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe (PID: 6952 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe" MD5: 4416F8255A013037554C04AAD7C0B2D3)

powershell.exe (PID: 7088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /C Get-Service -Name WpnUserService* | Restart-Service -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /C Get-Service -Name WpnUserService* | Restart-Service -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /C Get-Service -Name WpnUserService* | Restart-Service -Force, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, ParentProcessId: 6952, ParentProcessName: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /C Get-Service -Name WpnUserService* | Restart-Service -Force, ProcessId: 7088, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Spreading
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: https://reddemon.xyz/loader/build/black.exe

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Virustotal: Detection: 54%			Perma Link
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.7% probability

Source: unknown

HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Source: Joe Sandbox View

IP Address: 104.20.3.235 104.20.3.235

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /H7Eqp7G6 HTTP/1.1Connection: Keep-AliveUser-Agent: cpprestsdk/2.10.18Host: pastebin.com

Source: global traffic

DNS traffic detected: DNS query: pastebin.com

Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: http://fontello.com
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: http://fontello.comGenerated
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: http://scripts.sil.org/OFLInterMediumWeightSlant
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: http://scripts.sil.org/OFLInterSemiBoldWeightSlant
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000002.2939409497.0000022DAD59F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: https://access.chairfbi.com/loader/key_check?key=%s&token=%s
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: https://access.chairfbi.com/loader/key_check?key=%s&token=%sErrorError
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: https://access.chairfbi.com/loader/url/NoUi
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: https://access.chairfbi.com/loader/url/NoUiFailed
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: https://access.chairfbi.com/loader/version/NoUi
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: https://access.chairfbi.com/loader/version/NoUi%s
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: https://github.com/rsms/inter)Inter
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1796389409.0000022DA8947000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1796018956.0000022DA8947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: https://pastebin.com/H7Eqp7G6
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: https://pastebin.com/H7Eqp7G68.9%s.exehttps://reddemon.xyz/loader/build/black.exeFailed
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1795993503.0000022DAA890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1796075895.0000022DAA882000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/i/facebook.png
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1795993503.0000022DAA890000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/search
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1796109296.0000022DA8921000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com:443/H7Eqp7G6
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: https://reddemon.xyz/loader/build/black.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1796075895.0000022DAA87B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1795993503.0000022DAA890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1796018956.0000022DA8947000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1796433414.0000022DAA87E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/pastebin
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1795993503.0000022DAA890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1796075895.0000022DAA882000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-S72LBY47R8

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: classification engine

Classification label: mal64.troj.winEXE@4/6@1/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0vfwzqs.maj.ps1

Jump to behavior

Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Virustotal: Detection: 54%
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	ReversingLabs: Detection: 44%

Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: https://access.chairfbi.com/loader/key_check?key=%s&token=%s
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: https://access.chairfbi.com/loader/version/NoUi
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: https://access.chairfbi.com/loader/url/NoUi
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: SpooferSpooferDiskTypeSpooferDiskSpooferMoboSpooferBootSpooferMACSpooferMonitorSpooferGPUSpooferTPMSpooferFileRegistryspooferStaticSerialhttps://access.chairfbi.com/loader/key_check?key=%s&token=%sErrorError not handledcodeinvalid_keyexpired_keyKey expiredkey_to_injectexpires_incheatstorenamelogomenu_colorinclude_spooferactivedayhourminuteExpires in %.0f day(s), %.0f hour(s), %.0f minute(s)Expires in %.0f d %.0f h %.0f mCheat is under maintence%s\laddon.exe%s\%shttps://access.chairfbi.com/loader/version/NoUi%s\%s-laddon.exe%s-laddon.exehttps://access.chairfbi.com/loader/url/NoUiFailed to download loader addonHv
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: https://reddemon.xyz/loader/build/black.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	String found in binary or memory: oldloader.txt%s/%shttps://pastebin.com/H7Eqp7G68.9%s.exehttps://reddemon.xyz/loader/build/black.exeFailed to download new version!Failed to open new version: %s/%s

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /C Get-Service -Name WpnUserService* \| Restart-Service -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /C Get-Service -Name WpnUserService* \| Restart-Service -Force	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: concrt140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: xinput1_4.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe

Static file information: File size 1972736 > 1048576

Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	Window / User API: foregroundWindowGot 1772	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3531	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5781	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe TID: 7052	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3096	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1516	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1856604904.0000022DA8947000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1796389409.0000022DA8947000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000002.2936840585.0000022DA8918000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1796018956.0000022DA8947000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000002.2937398541.0000022DA894E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000002.2936840585.0000022DA88CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\WindowsPowerShell\v1.0\powershell.exei

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /C Get-Service -Name WpnUserService* | Restart-Service -Force

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Query Registry	Remote Services	Data from Local System	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	11 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	55%	Virustotal		Browse
SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	45%	ReversingLabs	Win64.Infostealer.Tinba

Source	Detection	Scanner	Label	Link
pastebin.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
https://access.chairfbi.com/loader/url/NoUiFailed	0%	Avira URL Cloud	safe
https://pastebin.com/search	0%	Avira URL Cloud	safe
https://pastebin.com/H7Eqp7G6	0%	Avira URL Cloud	safe
http://scripts.sil.org/OFLInterMediumWeightSlant	0%	Avira URL Cloud	safe
http://fontello.comGenerated	0%	Avira URL Cloud	safe
https://pastebin.com/search	0%	Virustotal		Browse
https://pastebin.com/i/facebook.png	0%	Avira URL Cloud	safe
https://twitter.com/pastebin	0%	Avira URL Cloud	safe
https://pastebin.com/H7Eqp7G68.9%s.exehttps://reddemon.xyz/loader/build/black.exeFailed	0%	Avira URL Cloud	safe
http://fontello.com	0%	Avira URL Cloud	safe
https://access.chairfbi.com/loader/url/NoUiFailed	0%	Virustotal		Browse
http://scripts.sil.org/OFLInterMediumWeightSlant	0%	Virustotal		Browse
https://access.chairfbi.com/loader/version/NoUi%s	0%	Avira URL Cloud	safe
https://access.chairfbi.com/loader/key_check?key=%s&token=%sErrorError	0%	Avira URL Cloud	safe
https://pastebin.com/H7Eqp7G6	1%	Virustotal		Browse
https://access.chairfbi.com/loader/version/NoUi	0%	Avira URL Cloud	safe
https://access.chairfbi.com/loader/version/NoUi%s	0%	Virustotal		Browse
https://github.com/rsms/inter)Inter	0%	Avira URL Cloud	safe
https://access.chairfbi.com/loader/url/NoUi	0%	Avira URL Cloud	safe
https://github.com/rsms/inter)Inter	0%	Virustotal		Browse
https://pastebin.com:443/H7Eqp7G6	0%	Avira URL Cloud	safe
https://twitter.com/pastebin	0%	Virustotal		Browse
https://pastebin.com:443/H7Eqp7G6	1%	Virustotal		Browse
https://reddemon.xyz/loader/build/black.exe	0%	Avira URL Cloud	safe
https://access.chairfbi.com/loader/key_check?key=%s&token=%sErrorError	0%	Virustotal		Browse
http://scripts.sil.org/OFLInterSemiBoldWeightSlant	0%	Avira URL Cloud	safe
https://access.chairfbi.com/loader/url/NoUi	0%	Virustotal		Browse
https://reddemon.xyz/loader/build/black.exe	8%	Virustotal		Browse
https://pastebin.com/	0%	Avira URL Cloud	safe
https://access.chairfbi.com/loader/key_check?key=%s&token=%s	0%	Avira URL Cloud	safe
http://fontello.com	0%	Virustotal		Browse
http://scripts.sil.org/OFLInterSemiBoldWeightSlant	0%	Virustotal		Browse
https://pastebin.com/	0%	Virustotal		Browse
https://access.chairfbi.com/loader/key_check?key=%s&token=%s	0%	Virustotal		Browse
https://access.chairfbi.com/loader/version/NoUi	0%	Virustotal		Browse
https://pastebin.com/i/facebook.png	0%	Virustotal		Browse

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pastebin.com	104.20.3.235	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/H7Eqp7G6	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://scripts.sil.org/OFLInterMediumWeightSlant	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://access.chairfbi.com/loader/url/NoUiFailed	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://fontello.comGenerated	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	false	Avira URL Cloud: safe	unknown
https://pastebin.com/search	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1795993503.0000022DAA890000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://pastebin.com/i/facebook.png	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1795993503.0000022DAA890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1796075895.0000022DAA882000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://twitter.com/pastebin	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1796075895.0000022DAA87B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1795993503.0000022DAA890000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1796018956.0000022DA8947000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1796433414.0000022DAA87E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://pastebin.com/H7Eqp7G68.9%s.exehttps://reddemon.xyz/loader/build/black.exeFailed	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	false	Avira URL Cloud: safe	unknown
http://fontello.com	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://access.chairfbi.com/loader/version/NoUi%s	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://access.chairfbi.com/loader/version/NoUi	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://access.chairfbi.com/loader/key_check?key=%s&token=%sErrorError	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/rsms/inter)Inter	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://access.chairfbi.com/loader/url/NoUi	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://pastebin.com:443/H7Eqp7G6	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1796109296.0000022DA8921000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reddemon.xyz/loader/build/black.exe	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://scripts.sil.org/OFLInterSemiBoldWeightSlant	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000002.2939409497.0000022DAD59F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pastebin.com/	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1796389409.0000022DA8947000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe, 00000000.00000003.1796018956.0000022DA8947000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://access.chairfbi.com/loader/key_check?key=%s&token=%s	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.20.3.235	pastebin.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1491076
Start date and time:	2024-08-10 21:29:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe
Detection:	MAL
Classification:	mal64.troj.winEXE@4/6@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.50.131.216, 23.50.131.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, cdn.onenote.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
15:30:11	API Interceptor	23x Sleep call for process: powershell.exe modified
15:30:19	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.20.3.235	New Voicemail Invoice 64746w .js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Invoice-883973938.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	2024 12_59_31 a.m..js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	SecuriteInfo.com.Win64.TrojanX-gen.4503.7723.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	SecuriteInfo.com.Win64.TrojanX-gen.32733.625.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	SecuriteInfo.com.Win64.TrojanX-gen.27459.30377.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	SecuriteInfo.com.Variant.Zusy.555247.27547.31657.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	SecuriteInfo.com.Win64.TrojanX-gen.18516.19442.exe	Get hash	malicious	Unknown	Browse	172.67.19.24
	file.exe	Get hash	malicious	DarkTortilla	Browse	172.67.19.24
	file.exe	Get hash	malicious	DarkTortilla, Neoreklami	Browse	104.20.3.235
	SecuriteInfo.com.Trojan.Siggen29.14708.13579.16480.exe	Get hash	malicious	StormKitty, XWorm	Browse	104.20.3.235
	SecuriteInfo.com.Trojan.Inject5.6732.13710.8794.exe	Get hash	malicious	Cryptbot, Neoreklami	Browse	104.20.3.235
	BlazeHack.exe	Get hash	malicious	PureLog Stealer, RedLine, Xmrig	Browse	104.20.3.235

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.Win64.MalwareX-gen.9087.16441.exe	Get hash	malicious	Unknown	Browse	104.26.3.16
	SecuriteInfo.com.Win64.MalwareX-gen.11541.5330.exe	Get hash	malicious	Unknown	Browse	104.26.2.16
	SecuriteInfo.com.Win64.TrojanX-gen.4503.7723.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	SecuriteInfo.com.Win64.TrojanX-gen.32733.625.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	SecuriteInfo.com.Win64.TrojanX-gen.27459.30377.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	SecuriteInfo.com.Variant.Zusy.555247.27547.31657.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	SecuriteInfo.com.Win64.TrojanX-gen.18516.19442.exe	Get hash	malicious	Unknown	Browse	172.67.19.24
	LC Setup.exe.exe	Get hash	malicious	LummaC	Browse	104.21.39.10
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.16.74
	steal.exe	Get hash	malicious	LummaC	Browse	104.21.39.10

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SecuriteInfo.com.Win64.MalwareX-gen.9087.16441.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	SecuriteInfo.com.Win64.MalwareX-gen.11541.5330.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	SecuriteInfo.com.Win64.TrojanX-gen.4503.7723.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	SecuriteInfo.com.Win64.TrojanX-gen.32733.625.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	SecuriteInfo.com.Win64.TrojanX-gen.27459.30377.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	SecuriteInfo.com.Variant.Zusy.555247.27547.31657.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	SecuriteInfo.com.Win64.TrojanX-gen.18516.19442.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	LC Setup.exe.exe	Get hash	malicious	LummaC	Browse	104.20.3.235
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.20.3.235
	steal.exe	Get hash	malicious	LummaC	Browse	104.20.3.235

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe
File Type:	data
Category:	modified
Size (bytes):	338
Entropy (8bit):	3.4738726491832703
Encrypted:	false
SSDEEP:	6:kKBDMC8ZJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:lMCdkPlE99SCQl2DUevat
MD5:	25607401FA89E98AF65DC5150CD44861
SHA1:	0AF557DE53738F64788013ED68790CF0C189C886
SHA-256:	749058EA6CA79C9E69AB485AD556D6BC12D3B5CBD7FB08731906315E0B3E2C56
SHA-512:	55E0F3F625121C4500CFC4CD1499E116EE0E45FA303603CB17D24BCCDA505177DE31EFDBA5D3740462DDB6C8CB3EB5BA45A594DA4C20D46F2B9113071B04F66F
Malicious:	false
Reputation:	low
Preview:	p...... ...........[...(...................................................@... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulxmH/lZ:NllUg
MD5:	D904BDD752B6F23D81E93ECA3BD8E0F3
SHA1:	026D8B0D0F79861746760B0431AD46BAD2A01676
SHA-256:	B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
SHA-512:	5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................. ..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0vfwzqs.maj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mknofglc.yrq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.734174263270791
Encrypted:	false
SSDEEP:	96:b5DW33CxHmgkvhkvCCtJgnn9bHH5nn98HHd:b5DWyGsinPnq
MD5:	373639A1AA9CBB381B7AF0ECF0864B93
SHA1:	10075A3A4798CB92D871D9F25A1410093950C48D
SHA-256:	B094DA6C4FD48B3633A39A82A70344A75C5E505D47A61F766399A02D658BB46E
SHA-512:	C36766CEA0D172C6CEEADB45E96C579447ECC496F5BE34D546303E3AA8326F27CB49677C75B163B20D3D571586B950CFA91A1F823771B4A70941FE02E3545A30
Malicious:	false
Reputation:	low
Preview:	...................................FL..................F.".. ...-/.v....Tx..[...z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v........[.......[.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y............................%..A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......CW.^.Y............................Z`..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y...........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`...........................g..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TBOMRRPLU3O91YY415FW.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.734174263270791
Encrypted:	false
SSDEEP:	96:b5DW33CxHmgkvhkvCCtJgnn9bHH5nn98HHd:b5DWyGsinPnq
MD5:	373639A1AA9CBB381B7AF0ECF0864B93
SHA1:	10075A3A4798CB92D871D9F25A1410093950C48D
SHA-256:	B094DA6C4FD48B3633A39A82A70344A75C5E505D47A61F766399A02D658BB46E
SHA-512:	C36766CEA0D172C6CEEADB45E96C579447ECC496F5BE34D546303E3AA8326F27CB49677C75B163B20D3D571586B950CFA91A1F823771B4A70941FE02E3545A30
Malicious:	false
Reputation:	low
Preview:	...................................FL..................F.".. ...-/.v....Tx..[...z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v........[.......[.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y............................%..A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......CW.^.Y............................Z`..R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y...........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`...........................g..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y.....Q...........

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.741577433067238
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe
File size:	1'972'736 bytes
MD5:	4416f8255a013037554c04aad7c0b2d3
SHA1:	4bd6f215328e380e305a3873298a07921893e18d
SHA256:	a798b5783271e848da0af7164c22bc048b122644d60257fbc146a8f98b3cc8b0
SHA512:	c1485ecf554487e60d24b7f5391f962e498ca829499bbec2a136258aa856036dce7dd3c1c3066d1c6ba6945f03e574c72cc17b77d7ec53b0caf34de49025411b
SSDEEP:	49152:GBzMZYKBuAqzxJznMEKV4WFQ0GaXK6KNaRnFRi9Y4RxkcT5aV:GBzzKJFzbRiyYxks5a
TLSH:	3C959F43B35542ECD16AD1B94B66DB13E77238811B21C3CB23E0A2A65FD75F09DBB290
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sc..7.y.7.y.7.y.>z..#.y..w\|.&.y...}.=.y...z.1.y...\|...y...x.?.y.\|zx...y.7.x...y...\|.!.y.....6.y...{.6.y.Rich7.y.........PE..d..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140082430
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A53933 [Sat Jul 27 18:15:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	7a9121c1bce825374af94f5121aa08bf

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FCE7C7CEB68h
dec eax
add esp, 28h
jmp 00007FCE7C7CE72Fh
int3
int3
dec eax
and dword ptr [ecx+10h], 00000000h
dec eax
lea eax, dword ptr [00050870h]
dec eax
mov dword ptr [ecx+08h], eax
dec eax
lea eax, dword ptr [00043D7Dh]
dec eax
mov dword ptr [ecx], eax
dec eax
mov eax, ecx
ret
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FCE7C7CE887h
dec eax
lea edx, dword ptr [000756BFh]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007FCE7C806F47h
int3
mov eax, 00000001h
ret
int3
int3
xor eax, eax
cmp dword ptr [0014003Ch], eax
setne al
ret
and dword ptr [001588A9h], 00000000h
ret
dec eax
mov dword ptr [esp+08h], ebx
push ebp
dec eax
lea ebp, dword ptr [esp-000004C0h]
dec eax
sub esp, 000005C0h
mov ebx, ecx
mov ecx, 00000017h
call dword ptr [00042CE6h]
test eax, eax
je 00007FCE7C7CE8B6h
mov ecx, ebx
int 29h
mov ecx, 00000003h
call 00007FCE7C7CE879h
xor edx, edx
dec eax
lea ecx, dword ptr [ebp-10h]
inc ecx
mov eax, 000004D0h
call 00007FCE7C806F09h
dec eax
lea ecx, dword ptr [ebp-10h]
call dword ptr [00042CF1h]
dec eax
mov ebx, dword ptr [ebp+000000E8h]
dec eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf7d28	0x1f4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e6000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1dc000	0x9840	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e7000	0x1994	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd6a70	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xd6b00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xd6930	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc5000	0xd78	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc390d	0xc3a00	9ce8eeeb5a5d4afef4bd8b1c5359bfc2	False	0.412522464057508	data	6.383728084677745	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc5000	0x374a2	0x37600	b9b7fd80e8f870ae134f195067cd3421	False	0.39495450056433407	data	5.413691141788401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xfd000	0xde570	0xdb000	b986a565bcd667987e47e969794ae7cc	False	0.539748100385274	data	6.7827754295920695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x1dc000	0x9840	0x9a00	6d6c1107668bf5b816a3e758b8e90352	False	0.47427962662337664	data	5.944241416754903	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1e6000	0x1e8	0x200	7a294975f0bf8ebb5d47cbdbd089ff91	False	0.541015625	data	4.768131151703051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1e7000	0x1994	0x1a00	290fabea703a2c967004f08e76f89903	False	0.28846153846153844	data	5.421446958010045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x1e6060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	GetFirmwareType, InitializeCriticalSectionEx, DeleteCriticalSection, FormatMessageA, LocalFree, GetCurrentThread, Sleep, VerifyVersionInfoW, SetFileCompletionNotificationModes, CloseThreadpoolIo, CancelThreadpoolIo, StartThreadpoolIo, CreateThreadpoolIo, GetOverlappedResult, WriteFile, ReadFile, CreateFileW, FormatMessageW, OutputDebugStringW, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, ExpandEnvironmentStringsA, GetModuleHandleW, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, InitOnceComplete, InitOnceBeginInitialize, QueryPerformanceFrequency, GetUserDefaultLocaleName, FindClose, LoadLibraryA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, QueryPerformanceCounter, VerSetConditionMask, WideCharToMultiByte, MultiByteToWideChar, FreeLibrary, TerminateProcess, ExitProcess, GetCurrentProcess, WaitForSingleObject, GetLastError, CloseHandle, GlobalFree, GlobalLock, GetFirmwareEnvironmentVariableA, GlobalUnlock, GlobalAlloc, GetCurrentProcessId, GetTickCount64, FindNextFileA, FindFirstFileA, GetFileSizeEx, GetLocaleInfoEx
USER32.dll	GetWindowRect, OpenClipboard, LoadIconA, MoveWindow, ShowWindow, RegisterClassExA, DestroyWindow, CreateWindowExW, RegisterClassExW, UnregisterClassW, UnregisterClassA, PostQuitMessage, DefWindowProcA, PeekMessageA, CreateWindowExA, UpdateWindow, SetWindowPos, TranslateMessage, LoadCursorA, CloseClipboard, SetClipboardData, GetClipboardData, EmptyClipboard, TrackMouseEvent, ScreenToClient, GetMessageExtraInfo, GetKeyState, GetCapture, SetCapture, ReleaseCapture, GetSystemMetrics, DispatchMessageA, IsWindowUnicode, GetForegroundWindow, GetClientRect, SetCursorPos, SetCursor, GetCursorPos, ClientToScreen
ADVAPI32.dll	GetUserNameW, AdjustTokenPrivileges, LookupPrivilegeValueA, RegCloseKey, RegGetValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, OpenProcessToken
SHELL32.dll	ShellExecuteExA
MSVCP140.dll	?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z, ?_Locimp_Addfac@_Locimp@locale@std@@CAXPEAV123@PEAVfacet@23@_K@Z, ?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z, ?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z, ??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z, ??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ, ??Bios_base@std@@QEBA_NXZ, ?setf@ios_base@std@@QEAAHHH@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z, ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z, ?_Random_device@std@@YAIXZ, ?_Incref@facet@locale@std@@UEAAXXZ, ?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A, _Mtx_init_in_situ, _Mtx_destroy_in_situ, ??0_Lockit@std@@QEAA@H@Z, ??1_Lockit@std@@QEAA@XZ, ?uncaught_exception@std@@YA_NXZ, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?good@ios_base@std@@QEBA_NXZ, ?flags@ios_base@std@@QEBAHXZ, ?width@ios_base@std@@QEBA_JXZ, ??Bid@locale@std@@QEAA_KXZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ, ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z, ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, _Thrd_detach, _Cnd_do_broadcast_at_thread_exit, ?_Throw_Cpp_error@std@@YAXH@Z, ?_Xinvalid_argument@std@@YAXPEBD@Z, ?fail@ios_base@std@@QEBA_NXZ, ?__ExceptionPtrCreate@@YAXPEAX@Z, ?__ExceptionPtrDestroy@@YAXPEAX@Z, ?__ExceptionPtrCopy@@YAXPEAXPEBX@Z, ?__ExceptionPtrAssign@@YAXPEAXPEBX@Z, ?__ExceptionPtrToBool@@YA_NPEBX@Z, ?__ExceptionPtrCurrentException@@YAXPEAX@Z, ?__ExceptionPtrRethrow@@YAXPEBX@Z, ?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z, _Mtx_lock, _Mtx_unlock, _Cnd_init_in_situ, _Cnd_destroy_in_situ, _Cnd_wait, _Cnd_broadcast, ?_Schedule_chore@details@Concurrency@@YAHPEAU_Threadpool_chore@12@@Z, ?_Release_chore@details@Concurrency@@YAXPEAU_Threadpool_chore@12@@Z, ?_ReportUnobservedException@details@Concurrency@@YAXXZ, ?GetCurrentThreadId@platform@details@Concurrency@@YAJXZ, ?_Xbad_function_call@std@@YAXXZ, ?_CallInContext@_ContextCallback@details@Concurrency@@QEBAXV?$function@$$A6AXXZ@std@@_N@Z, ?_Reset@_ContextCallback@details@Concurrency@@AEAAXXZ, ?_Assign@_ContextCallback@details@Concurrency@@AEAAXPEAX@Z, ?_IsCurrentOriginSTA@_ContextCallback@details@Concurrency@@CA_NXZ, ?_Capture@_ContextCallback@details@Concurrency@@AEAAXXZ, ?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ, ??0task_continuation_context@Concurrency@@AEAA@XZ, ?_LogScheduleTask@_TaskEventLogger@details@Concurrency@@QEAAX_N@Z, ?_LogCancelTask@_TaskEventLogger@details@Concurrency@@QEAAXXZ, ?_LogTaskCompleted@_TaskEventLogger@details@Concurrency@@QEAAXXZ, ?_LogTaskExecutionCompleted@_TaskEventLogger@details@Concurrency@@QEAAXXZ, ?_LogWorkItemStarted@_TaskEventLogger@details@Concurrency@@QEAAXXZ, ?_LogWorkItemCompleted@_TaskEventLogger@details@Concurrency@@QEAAXXZ, ?width@ios_base@std@@QEAA_J_J@Z, ?_Xout_of_range@std@@YAXPEBD@Z, ?_Xlength_error@std@@YAXPEBD@Z, ?_Xbad_alloc@std@@YAXXZ, ??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEA_K@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z, ??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z, ?_Throw_C_error@std@@YAXH@Z, ?__ExceptionPtrCompare@@YA_NPEBX0@Z, ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ, ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ, ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z, ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z, ?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z, ?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z, ?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAGXZ, ?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAHXZ, ?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ, ?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAPEAV12@PEA_W_J@Z, ?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAXAEBVlocale@2@@Z, ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ, ?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ, ??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAH@Z, ??1?$basic_istream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ??0?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z, ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ, ?imbue@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z, ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z, ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAPEA_WXZ, ??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ, ?classic@locale@std@@SAAEBV12@XZ, ?_Winerror_map@std@@YAHH@Z, ?_Syserror_map@std@@YAPEBDH@Z, ??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z
CONCRT140.dll	?_Release@_ReentrantBlockingLock@details@Concurrency@@QEAAXXZ, ??0_ReentrantBlockingLock@details@Concurrency@@QEAA@XZ, ?_Acquire@_ReentrantBlockingLock@details@Concurrency@@QEAAXXZ, ??1_ReentrantBlockingLock@details@Concurrency@@QEAA@XZ
IMM32.dll	ImmSetCompositionWindow, ImmGetContext, ImmSetCandidateWindow, ImmReleaseContext
D3DCOMPILER_47.dll	D3DCompile
CRYPT32.dll	CertGetCertificateChain, CertVerifyCertificateChainPolicy, CertFreeCertificateChain, CertFreeCertificateContext, CryptUnprotectMemory
bcrypt.dll	BCryptGetProperty, BCryptCloseAlgorithmProvider, BCryptDestroyHash, BCryptFinishHash, BCryptHashData, BCryptCreateHash, BCryptOpenAlgorithmProvider
WINHTTP.dll	WinHttpQueryAuthSchemes, WinHttpReceiveResponse, WinHttpSetCredentials, WinHttpGetIEProxyConfigForCurrentUser, WinHttpGetProxyForUrl, WinHttpQueryHeaders, WinHttpAddRequestHeaders, WinHttpOpenRequest, WinHttpSetTimeouts, WinHttpSetOption, WinHttpQueryOption, WinHttpQueryDataAvailable, WinHttpWriteData, WinHttpReadData, WinHttpConnect, WinHttpCloseHandle, WinHttpSendRequest, WinHttpOpen, WinHttpGetDefaultProxyConfiguration, WinHttpSetStatusCallback
d3d11.dll	D3D11CreateDeviceAndSwapChain
VCRUNTIME140.dll	__std_exception_destroy, _CxxThrowException, __current_exception_context, __std_exception_copy, memmove, __current_exception, __C_specific_handler, _purecall, strstr, memset, memchr, memcpy, memcmp, __std_terminate
VCRUNTIME140_1.dll	__CxxFrameHandler4
api-ms-win-crt-runtime-l1-1-0.dll	_cexit, _crt_atexit, _seh_filter_exe, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _set_app_type, _configure_narrow_argv, abort, _invalid_parameter_noinfo_noreturn, _get_narrow_winmain_command_line, _initterm, _initterm_e, exit, _exit, _c_exit, _register_thread_local_exe_atexit_callback, _beginthreadex, terminate, _errno
api-ms-win-crt-string-l1-1-0.dll	strcmp, strncmp, isdigit, isalpha, isxdigit, strcpy_s, strcat_s, strncpy
api-ms-win-crt-stdio-l1-1-0.dll	fseek, _wfopen, __stdio_common_vsprintf, __stdio_common_vsprintf_s, __stdio_common_vsscanf, ftell, __stdio_common_vfprintf, ungetc, setvbuf, _fseeki64, fsetpos, fread, fputc, fgetpos, fgetc, fflush, _get_stream_buffer_pointers, __p__commode, _set_fmode, fwrite, __acrt_iob_func, feof, ferror, fclose
api-ms-win-crt-heap-l1-1-0.dll	malloc, free, realloc, _callnewh, _set_new_mode
api-ms-win-crt-convert-l1-1-0.dll	atoi, wcstol, wcstombs_s
api-ms-win-crt-filesystem-l1-1-0.dll	_mkdir, _access_s, remove, _lock_file, _unlock_file
api-ms-win-crt-time-l1-1-0.dll	_time64, strftime, _localtime64, _localtime64_s
api-ms-win-crt-math-l1-1-0.dll	sqrtf, cosf, fmodf, ceilf, sinf, acosf, __setusermatherr
api-ms-win-crt-utility-l1-1-0.dll	qsort
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 20
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 10, 2024 21:30:15.721026897 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:15.721096992 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:15.721189022 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:15.742516994 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:15.742531061 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:17.346626043 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:17.346733093 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:17.349314928 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:17.349328995 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:17.349728107 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:17.400803089 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:19.045200109 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:19.088496923 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.589457989 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.589607954 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.589694023 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.589694023 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:19.589728117 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.589780092 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:19.589795113 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.596093893 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.596163034 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:19.596183062 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.604679108 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.604747057 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:19.604779005 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.622872114 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.622941971 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:19.622967958 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.666461945 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:19.711827040 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.760332108 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:19.781188011 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.785739899 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.785810947 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:19.785831928 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.793498993 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.793658972 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:19.793668032 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.793725014 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.793783903 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:19.794538975 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:19.794559002 CEST	443	49731	104.20.3.235	192.168.2.4
Aug 10, 2024 21:30:19.794579983 CEST	49731	443	192.168.2.4	104.20.3.235
Aug 10, 2024 21:30:19.794588089 CEST	443	49731	104.20.3.235	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 10, 2024 21:30:15.466074944 CEST	61176	53	192.168.2.4	1.1.1.1
Aug 10, 2024 21:30:15.604515076 CEST	53	61176	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 10, 2024 21:30:15.466074944 CEST	192.168.2.4	1.1.1.1	0xdd9	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 10, 2024 21:30:15.604515076 CEST	1.1.1.1	192.168.2.4	0xdd9	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false
Aug 10, 2024 21:30:15.604515076 CEST	1.1.1.1	192.168.2.4	0xdd9	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
Aug 10, 2024 21:30:15.604515076 CEST	1.1.1.1	192.168.2.4	0xdd9	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	104.20.3.235	443	6952	C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-10 19:30:19 UTC	102	OUT	GET /H7Eqp7G6 HTTP/1.1 Connection: Keep-Alive User-Agent: cpprestsdk/2.10.18 Host: pastebin.com
2024-08-10 19:30:19 UTC	530	IN	HTTP/1.1 200 OK Date: Sat, 10 Aug 2024 19:30:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block set-cookie: _csrf-frontend=7ac1fe11604146821e61a904ee2b5ba28ac3a77a79f57599339ea8c99a6cc832a%3A2%3A%7Bi%3A0%3Bs%3A14%3A%22_csrf-frontend%22%3Bi%3A1%3Bs%3A32%3A%220AnwxuHss9-s-dnG8y7lUXJg4yKLUQ7R%22%3B%7D; path=/; HttpOnly CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8b12665608c6c331-EWR
2024-08-10 19:30:19 UTC	839	IN	Data Raw: 34 66 34 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 30 2e 37 35 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 35 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 79 65 73 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 53 37 32 4c 42 59 34 37 52 38 22 3e 3c 2f 73 63 72 69 70 74 Data Ascii: 4f40<!DOCTYPE html><html lang="en"><head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=5.0, user-scalable=yes" /> <script async src="https://www.googletagmanager.com/gtag/js?id=G-S72LBY47R8"></script
2024-08-10 19:30:19 UTC	1369	IN	Data Raw: 74 3d 22 50 61 73 74 65 62 69 6e 2e 63 6f 6d 20 69 73 20 74 68 65 20 6e 75 6d 62 65 72 20 6f 6e 65 20 70 61 73 74 65 20 74 6f 6f 6c 20 73 69 6e 63 65 20 32 30 30 32 2e 20 50 61 73 74 65 62 69 6e 20 69 73 20 61 20 77 65 62 73 69 74 65 20 77 68 65 72 65 20 79 6f 75 20 63 61 6e 20 73 74 6f 72 65 20 74 65 78 74 20 6f 6e 6c 69 6e 65 20 66 6f 72 20 61 20 73 65 74 20 70 65 72 69 6f 64 20 6f 66 20 74 69 6d 65 2e 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 66 62 3a 61 70 70 5f 69 64 22 20 63 6f 6e 74 65 6e 74 3d 22 32 33 31 34 39 33 33 36 30 32 33 34 38 32 30 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 74 65 72 6e 69 74 Data Ascii: t="Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time." /> <meta property="fb:app_id" content="231493360234820" /> <meta property="og:title" content="eternit
2024-08-10 19:30:19 UTC	1369	IN	Data Raw: 63 72 69 70 74 3e 20 76 61 72 20 76 69 74 61 67 20 3d 20 76 69 74 61 67 20 7c 7c 20 7b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 20 45 6e 64 20 56 61 6c 75 65 69 6d 70 72 65 73 73 69 6f 6e 20 48 65 61 64 20 53 63 72 69 70 74 20 2d 2d 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 76 69 74 61 67 2e 73 6d 61 72 74 42 61 6e 6e 65 72 43 6f 6e 66 69 67 3d 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 64 69 73 61 62 6c 65 50 6f 73 69 74 69 6f 6e 3a 20 20 22 74 6f 70 20 72 69 67 68 74 20 6c 65 66 74 22 2c 0d 0a 20 20 20 20 20 7d 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 69 66 20 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 Data Ascii: cript> var vitag = vitag \|\| {};</script>... End Valueimpression Head Script --><script> vitag.smartBannerConfig= { disablePosition: "top right left", }</script><script type="text/javascript"> if (window.location.p
2024-08-10 19:30:19 UTC	1369	IN	Data Raw: 2c 30 2d 32 30 2e 35 2d 33 2e 37 2d 32 37 2e 39 2d 31 32 2e 31 4c 33 33 39 2e 33 2c 33 39 33 2e 38 63 2d 33 37 2e 32 2c 32 36 2e 31 2d 37 38 2e 32 2c 33 38 2e 32 2d 31 32 32 2e 39 2c 33 38 2e 32 20 63 2d 32 39 2e 38 2c 30 2d 35 37 2e 37 2d 35 2e 36 2d 38 33 2e 38 2d 31 36 2e 38 63 2d 32 37 2d 31 31 2e 32 2d 35 30 2e 33 2d 32 37 2d 36 38 2e 39 2d 34 36 2e 35 73 2d 33 34 2e 34 2d 34 32 2e 38 2d 34 36 2e 35 2d 36 38 2e 39 43 36 2e 31 2c 32 37 32 2e 38 2c 30 2e 35 2c 32 34 34 2e 38 2c 30 2e 35 2c 32 31 36 73 35 2e 36 2d 35 37 2e 37 2c 31 36 2e 38 2d 38 33 2e 38 20 63 31 31 2e 32 2d 32 37 2c 32 37 2d 35 30 2e 33 2c 34 36 2e 35 2d 36 38 2e 39 73 34 32 2e 38 2d 33 34 2e 34 2c 36 38 2e 39 2d 34 36 2e 35 43 31 35 39 2e 37 2c 35 2e 36 2c 31 38 37 2e 36 2c 30 2c 32 Data Ascii: ,0-20.5-3.7-27.9-12.1L339.3,393.8c-37.2,26.1-78.2,38.2-122.9,38.2 c-29.8,0-57.7-5.6-83.8-16.8c-27-11.2-50.3-27-68.9-46.5s-34.4-42.8-46.5-68.9C6.1,272.8,0.5,244.8,0.5,216s5.6-57.7,16.8-83.8 c11.2-27,27-50.3,46.5-68.9s42.8-34.4,68.9-46.5C159.7,5.6,187.6,0,2
2024-08-10 19:30:19 UTC	1369	IN	Data Raw: 63 6c 61 73 73 3d 22 73 65 61 72 63 68 5f 69 6e 70 75 74 22 20 6e 61 6d 65 3d 22 71 22 20 6d 61 78 6c 65 6e 67 74 68 3d 22 31 32 38 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0a 0a 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 63 6c 61 73 73 3d 22 73 65 61 72 63 68 5f 62 74 6e 22 20 61 72 69 61 2d 6c 61 62 65 6c 3d 22 53 65 61 72 63 68 22 3e 3c 73 76 67 20 63 6c 61 73 73 3d 22 69 63 6f 6e 20 73 65 61 72 63 68 22 3e 3c 75 73 65 20 78 6c 69 6e 6b 3a 68 72 65 66 3d 22 23 73 65 61 72 63 68 22 3e 3c 2f 75 73 65 3e 3c 2f 73 76 67 3e 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: class="search_input" name="q" maxlength="128" placeholder="Search..."> <button type="submit" class="search_btn" aria-label="Search"><svg class="icon search"><use xlink:href="#search"></use></svg></button>
2024-08-10 19:30:19 UTC	1369	IN	Data Raw: 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 73 75 6d 6d 61 72 79 20 6a 73 2d 72 61 74 69 6e 67 2d 65 72 72 6f 72 20 68 69 64 65 22 3e 3c 75 6c 3e 3c 6c 69 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 65 74 61 69 6c 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 68 61 72 65 20 68 5f 38 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 64 61 74 61 2d 75 72 6c 3d 22 68 74 74 70 73 3a 2f 2f 70 61 73 74 65 62 69 6e 2e 63 6f 6d 2f 48 37 45 71 70 37 47 36 22 20 63 6c 61 73 73 3d 22 73 68 61 72 65 2d 62 74 6e 20 66 61 63 65 62 6f 6f 6b 20 6a 73 2d 66 61 63 65 62 6f 6f 6b Data Ascii: <div class="error-summary js-rating-error hide"><ul><li></li></ul></div> <div class="details"> <div class="share h_800"> <div data-url="https://pastebin.com/H7Eqp7G6" class="share-btn facebook js-facebook
2024-08-10 19:30:19 UTC	1369	IN	Data Raw: 32 3a 34 35 3a 32 30 20 50 4d 20 43 44 54 22 3e 44 65 63 20 35 74 68 2c 20 32 30 32 33 3c 2f 73 70 61 6e 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 28 3c 73 70 61 6e 20 74 69 74 6c 65 3d 22 4c 61 73 74 20 65 64 69 74 20 6f 6e 3a 20 53 61 74 75 72 64 61 79 20 32 37 74 68 20 6f 66 20 4a 75 6c 79 20 32 30 32 34 20 30 31 3a 30 35 3a 35 32 20 50 4d 20 43 44 54 22 3e 65 64 69 74 65 64 3c 2f 73 70 61 6e 3e 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 76 69 73 69 74 73 22 20 74 69 74 6c 65 3d Data Ascii: 2:45:20 PM CDT">Dec 5th, 2023</span> (<span title="Last edit on: Saturday 27th of July 2024 01:05:52 PM CDT">edited</span>) </div> <div class="visits" title=
2024-08-10 19:30:19 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 69 67 68 6c 69 67 68 74 65 64 2d 63 6f 64 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 6f 70 2d 62 75 74 74 6f 6e 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 65 66 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 2f 61 72 63 68 69 76 65 2f 74 65 78 74 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 2d 73 6d 61 6c 6c 20 68 5f 38 30 30 22 3e 74 65 78 74 3c 2f 61 Data Ascii: </div> </div> </div> <div class="highlighted-code"> <div class="top-buttons"> <div class="left"> <a href="/archive/text" class="btn -small h_800">text</a
2024-08-10 19:30:19 UTC	1369	IN	Data Raw: 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6f 75 72 63 65 20 74 65 78 74 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 70 78 3b 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6f 6c 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 6c 69 31 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 65 31 22 3e 38 2e 39 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 0a 0a 20 20 20 20 20 20 20 20 0a 3c 21 2d 2d 20 31 2d 78 32 78 79 39 34 70 4a 20 2d 2d 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 Data Ascii: </div> <div class="source text" style="font-size: px; line-height: px;"> <ol class="text"><li class="li1"><div class="de1">8.9</div></li></ol> </div> </div> ... 1-x2xy94pJ --><div style="padding-bottom:1
2024-08-10 19:30:19 UTC	1369	IN	Data Raw: 2d 61 64 2d 73 6c 6f 74 3d 22 76 69 5f 31 32 38 32 35 37 37 34 37 34 22 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 20 39 37 30 70 78 3b 20 68 65 69 67 68 74 3a 20 39 30 70 78 22 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 76 69 74 61 67 2e 49 6e 69 74 20 3d 20 77 69 6e 64 6f 77 2e 76 69 74 61 67 2e 49 6e 69 74 20 7c 7c 20 5b 5d 29 2e 70 75 73 68 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 69 41 50 49 74 61 67 2e 64 69 73 70 6c 61 79 28 22 76 69 5f 31 32 38 32 35 37 37 34 37 34 22 29 7d 29 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 64 65 62 61 72 20 68 5f 31 30 32 34 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 0a 0a 0a 20 20 20 20 Data Ascii: -ad-slot="vi_1282577474" style="width: 970px; height: 90px"></div><script>(vitag.Init = window.vitag.Init \|\| []).push(function(){viAPItag.display("vi_1282577474")})</script></div> </div> <div class="sidebar h_1024">

Statistics

CPU Usage

• SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe
• powershell.exe
• conhost.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe
• powershell.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe
• powershell.exe
• conhost.exe

Click to jump to process

Target ID:	0
Start time:	15:30:08
Start date:	10/08/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe"
Imagebase:	0x7ff63b140000
File size:	1'972'736 bytes
MD5 hash:	4416F8255A013037554C04AAD7C0B2D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	15:30:08
Start date:	10/08/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /C Get-Service -Name WpnUserService* \| Restart-Service -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:30:08
Start date:	10/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0vfwzqs.maj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mknofglc.yrq.psm1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TBOMRRPLU3O91YY415FW.temp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
SecuriteInfo.com.Win64.TrojanX-gen.19215.24564.exe