Windows Analysis Report
SecuriteInfo.com.FileRepMalware.8697.17037.exe

ID:	1501325
Product:	CloudBasic
Start time:	18:44:07
Start date:	29.08.2024
Sample:	SecuriteInfo.com.FileRepMalware.8697.17037.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	8eb33cfbc3fccab789e6f96cd7b4553b
SHA1:	27a8160581bc7413b2ba118bb737f2fca61cd6c6
SHA256:	3cf61b6951d14daddeac3838d212ab9df11624c39838fca00aee497458639b9c
Filetype:	Win64 Executable Console (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe

Avira: detected

Source: http://185.101.104.92/mapp.exe	Avira URL Cloud: Label: malware
Source: http://185.101.104.92/fuck1.sys	Avira URL Cloud: Label: malware

Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe

ReversingLabs: Detection: 57%

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.5% probability

Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe

Joe Sandbox ML: detected

Cryptography

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B2E5E0 CryptAcquireContextA,CryptCreateHash,		0_2_00007FF764B2E5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B2C52D strtol,strchr,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strchr,CertOpenStore,GetLastError,CryptStringToBinaryA,CertFindCertificateInStore,fopen,fseek,ftell,fseek,fread,fclose,MultiByteToWideChar,PFXImportCertStore,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,CertCloseStore,CertFreeCertificateContext,fclose,CertFreeCertificateContext,		0_2_00007FF764B2C52D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B486D0 GetLastError,CreateFileA,GetLastError,GetFileSizeEx,GetLastError,ReadFile,strstr,strstr,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,GetLastError,CloseHandle,		0_2_00007FF764B486D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B2E630 CryptHashData,		0_2_00007FF764B2E630
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B2E640 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		0_2_00007FF764B2E640
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B2B8F0 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		0_2_00007FF764B2B8F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B2B820 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		0_2_00007FF764B2B820
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B51210 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		0_2_00007FF764B51210
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B4F120 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,		0_2_00007FF764B4F120
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B47DB0 CertOpenStore,GetLastError,CertCreateCertificateChainEngine,GetLastError,CertGetCertificateChain,GetLastError,CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,CertFreeCertificateChainEngine,CertCloseStore,CertFreeCertificateChain,CertFreeCertificateContext,		0_2_00007FF764B47DB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: -----BEGIN PUBLIC KEY-----		0_2_00007FF764B12510
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: mov dword ptr [rbp+04h], 424D53FFh

0_2_00007FF764B3AF20

Compliance

Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: 0_2_00007FF764AE9AF4 Concurrency::details::WorkQueue::IsStructuredEmpty,Concurrency::details::WorkQueue::IsStructuredEmpty,Concurrency::details::WorkQueue::IsStructuredEmpty,Concurrency::details::WorkQueue::IsStructuredEmpty,URLDownloadToFileA,system,system,

0_2_00007FF764AE9AF4

Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	String found in binary or memory: http://185.101.104.92/fuck1.sys
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	String found in binary or memory: http://185.101.104.92/fuck1.sysC:
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	String found in binary or memory: http://185.101.104.92/mapp.exe
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	String found in binary or memory: http://185.101.104.92/mapp.exeC:
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	String found in binary or memory: http://fontello.com
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	String found in binary or memory: http://fontello.comCopyright
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	String found in binary or memory: http://www.josbuivenga.demon.nl
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	String found in binary or memory: http://www.josbuivenga.demon.nlCopyright
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	String found in binary or memory: http://www.josbuivenga.demon.nlMuseo
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	String found in binary or memory: https://keyauth.win/api/1.2/
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	String found in binary or memory: https://keyauth.win/api/1.2/vqdudtxqydjybehtmcjlwnbbbflfdrohjbpsqagcexsshuarkpwfcvbcdolruouthxdizrwn

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: 0_2_00007FF764AB0138 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF764AB0138

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: 0_2_00007FF764AB0138 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF764AB0138

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: 0_2_00007FF764AA8FE8 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,memcpy,GlobalUnlock,CloseClipboard,

0_2_00007FF764AA8FE8

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: 0_2_00007FF764AED61C memset,PeekMessageA,TranslateMessage,DispatchMessageA,GetForegroundWindow,GetWindow,SetWindowPos,GetAsyncKeyState,exit,memset,memset,GetClientRect,ClientToScreen,GetCursorPos,GetAsyncKeyState,SetWindowPos,DestroyWindow,

0_2_00007FF764AED61C

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: 0_2_00007FF764AC07C8 GetClientRect,QueryPerformanceCounter,GetKeyState,GetKeyState,GetKeyState,ClientToScreen,SetCursorPos,GetActiveWindow,GetCursorPos,ScreenToClient,

0_2_00007FF764AC07C8

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: 0_2_00007FF764B4F120 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

0_2_00007FF764B4F120

System Summary

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: 0_2_00007FF764AE83BC: DeviceIoControl,

0_2_00007FF764AE83BC

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B2C5EC		0_2_00007FF764B2C5EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B2C5F5		0_2_00007FF764B2C5F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764ACE600		0_2_00007FF764ACE600
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B2C52D		0_2_00007FF764B2C52D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764ABE6B8		0_2_00007FF764ABE6B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AB67DC		0_2_00007FF764AB67DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B16760		0_2_00007FF764B16760
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764ABC898		0_2_00007FF764ABC898
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AC48F8		0_2_00007FF764AC48F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B42860		0_2_00007FF764B42860
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AFC1C0		0_2_00007FF764AFC1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AF21DC		0_2_00007FF764AF21DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AF22CA		0_2_00007FF764AF22CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AC429C		0_2_00007FF764AC429C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B2A2B0		0_2_00007FF764B2A2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B36E10		0_2_00007FF764B36E10
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AECD18		0_2_00007FF764AECD18
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B24E80		0_2_00007FF764B24E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AF6E60		0_2_00007FF764AF6E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764ABCF3C		0_2_00007FF764ABCF3C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AC6F7C		0_2_00007FF764AC6F7C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764ABB0B4		0_2_00007FF764ABB0B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AC309C		0_2_00007FF764AC309C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AC1090		0_2_00007FF764AC1090
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B1B040		0_2_00007FF764B1B040
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AFA9D0		0_2_00007FF764AFA9D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B2E9F0		0_2_00007FF764B2E9F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AD69DC		0_2_00007FF764AD69DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B1CAA0		0_2_00007FF764B1CAA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764ACABCC		0_2_00007FF764ACABCC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AF6BB0		0_2_00007FF764AF6BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AF8C40		0_2_00007FF764AF8C40
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AC55A0		0_2_00007FF764AC55A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B03545		0_2_00007FF764B03545
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AF3533		0_2_00007FF764AF3533
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764ABF698		0_2_00007FF764ABF698
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AED61C		0_2_00007FF764AED61C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B3F640		0_2_00007FF764B3F640
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AE765C		0_2_00007FF764AE765C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AC1804		0_2_00007FF764AC1804
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AAD8AC		0_2_00007FF764AAD8AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AF7900		0_2_00007FF764AF7900
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AB5828		0_2_00007FF764AB5828
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B43890		0_2_00007FF764B43890
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AFD860		0_2_00007FF764AFD860
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B511A0		0_2_00007FF764B511A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B4F120		0_2_00007FF764B4F120
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764ABD2CC		0_2_00007FF764ABD2CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764ACF2F8		0_2_00007FF764ACF2F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AF340E		0_2_00007FF764AF340E
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AFD390		0_2_00007FF764AFD390
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AA34BC		0_2_00007FF764AA34BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AC1420		0_2_00007FF764AC1420
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AF7490		0_2_00007FF764AF7490
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B47DB0		0_2_00007FF764B47DB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AE9D2C		0_2_00007FF764AE9D2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AC7E50		0_2_00007FF764AC7E50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764ABFE50		0_2_00007FF764ABFE50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AC2000		0_2_00007FF764AC2000
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764ACDF7C		0_2_00007FF764ACDF7C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B080D0		0_2_00007FF764B080D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B279D0		0_2_00007FF764B279D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B3B940		0_2_00007FF764B3B940
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AC7AB0		0_2_00007FF764AC7AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B13A30		0_2_00007FF764B13A30
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B21B80		0_2_00007FF764B21B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AF9B20		0_2_00007FF764AF9B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B19D00		0_2_00007FF764B19D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B1BC60		0_2_00007FF764B1BC60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AF7C40		0_2_00007FF764AF7C40
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764AC1C18		0_2_00007FF764AC1C18

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: String function: 00007FF764B07640 appears 46 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: String function: 00007FF764B03C70 appears 49 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: String function: 00007FF764B1C070 appears 31 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: String function: 00007FF764B07710 appears 36 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: String function: 00007FF764AD8E18 appears 69 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: String function: 00007FF764B1C150 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: String function: 00007FF764B18CF0 appears 381 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: String function: 00007FF764B528EC appears 49 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: String function: 00007FF764B13670 appears 70 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: String function: 00007FF764B18E70 appears 321 times

Source: classification engine

Classification label: mal76.evad.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: 0_2_00007FF764B02710 GetLastError,_errno,FormatMessageA,strchr,strncpy,_errno,_errno,GetLastError,SetLastError,

0_2_00007FF764B02710

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: 0_2_00007FF764AE8444 CreateToolhelp32Snapshot,Process32First,lstrcmpiA,CloseHandle,Process32Next,CloseHandle,

0_2_00007FF764AE8444

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03

Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe

ReversingLabs: Detection: 57%

Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory00

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Section loaded: d3d9.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Section loaded: d3dx9_43.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Section loaded: msvcp140.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Section loaded: vcruntime140.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Section loaded: vcruntime140_1.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Section loaded: vcruntime140.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Section loaded: vcruntime140_1.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Section loaded: wldp.dll			Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: 0_2_00007FF764B1B940 GetModuleHandleA,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,

0_2_00007FF764B1B940

Malware Analysis System Evasion

Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Binary or memory string: PROCESSHACKER.EXE
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Binary or memory string: PROCMON.EXE
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Binary or memory string: IDAG.EXE
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Binary or memory string: OLLYDBG.EXE
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Binary or memory string: PEID.EXE
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Binary or memory string: X64DBG.EXE
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Binary or memory string: REGMON.EXE
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Binary or memory string: NTUSERSENDINPUTWIN32UNTUSERSENDINPUTUSER32SENDINPUTUSER32NTUSERGETASYNCKEYSTATEWIN32UNTUSERGETASYNCKEYSTATEUSER32GETASYNCKEYSTATEUSER32.EXE0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ\\.\ONKZAOOBRABOLEFT MOUSE BUTTONRIGHT MOUSE BUTTONMIDDLE MOUSE BUTTONMOUSE SIDE 1MOUSE SIDE 2CONTROL-BREAK PROCESSINGBACKSPACETABCLEARENTERSHIFTCTRLALTCAPS LOCKESCSPACE0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZNUMPAD 0NUMPAD 1NUMPAD 2NUMPAD 3NUMPAD 4NUMPAD 5NUMPAD 6NUMPAD 7NUMPAD 8NUMPAD 9MULTIPLYHEADNECKCHESTPELVISINFNAN(IND)NANNAN(SNAN)INFNAN(IND)NANNAN(SNAN)INFNAN(IND)NANNAN(SNAN)/C CMD.EXEINFNAN(IND)NANNAN(SNAN)INFNAN(IND)NANNAN(SNAN)12INFNAN(IND)NANNAN(SNAN)ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789TASKMGR.EXETASKMGR.EXEDIEC.EXEDWNEJFE.EXEWIN64.EXENFSYSTEMINFORMER.EXEINITYPROCESSHACKER.EXEFILEALYZER2.EXERESOURCEHACKER.EXEDEPENDS.EXEPEXPLORER.EXEDIEL.EXEDIE.EXEPPEE.EXEPE-BEAR.EXELORDPE.EXEANPEID.EXEWIRESHARK.EXETCPVIEW.EXEINDPROCEXP64.EXESNANPROCEXP.EXEREGMON.EXEFILEMON.EXEPROCMON.EXESCYLLA_X86.EXESCYLLA_X64.EXEOLLYDUMPEX_SA64.EXEOLLYDUMPEX_SA32.EXEHXD.EXEIMMUNITYDEBUGGER.EXEIMMUNITYDEBUGGER.EXEWINDBG.EXEIDAQ.EXEIDAW.EXEIDAG.EXEX96DBG.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEIDA64.EXEDOTPEEK64.EXEIDA32.EXEIDA.EXERECLASS.NET.EXERECLASS.EXEHEYRAYS.EXELIGHTHOUSE.EXECHEATENGINE-X86_64.EXECLASSINFORMER.EXEIDA-X86EMU.EXECFFEXPLORER.EXEWINHEX.EXEHIEW.EXEFIDDLER.EXEHTTPDEBUGGER.EXEHTTPDEBUGGERPRO.EXESCYLLA.EXECHEAT ENGINE.EXEDNSPY.EXEDNSPY.CONSOLE.EXEHTTP://185.101.104.92/MAPP.EXEC:\WINDOWS\SYSTEM\MAPP.EXEHTTP://185.101.104.92/FUCK1.SYSC:\WINDOWS\SYSTEM\FUCK1.SYSCD C:\START C:\WINDOWS\SYSTEM\MAPP.EXE C:\WINDOWS\SYSTEM\FUCK1.SYS0E+00NFINITYANINDSNAN0E+000P+0LEFT MOUSERIGHT MOUSECANCELMIDDLE MOUSEMOUSE 50P+0MOUSE 4BACKSPACETABCLEARENTERSHIFTCONTROLALTPAUSECAPSESCAPESPACEPAGE UPPAGE DOWNENDHOMELEFTUPRIGHTDOWNPRINTINSERTDELETE0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZNUMPAD 0NUMPAD 1NUMPAD 2NUMPAD 3NUMPAD 4NUMPAD 5NUMPAD 6NUMPAD 7NUMPAD 8NUMPAD 9MULTIPLYADDSUBTRACTDECIMALDIVIDEF1F2F3F4F5F6F7F8F9F10F11F12LEFT MOUSERIGHT MOUSECANCELMIDDLE MOUSEMOUSE 5MOUSE 4BACKSPACETABCLEARENTERSHIFTCONTROLALTPAUSECAPSESCAPESPACEPAGE UPPAGE DOWNENDHOMELEFTUPRIGHTDOWNPRINTINSERTDELETE0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZNUMPAD 0NUMPAD 1NUMPAD 2NUMPAD 3NUMPAD 4NUMPAD 5NUMPAD 6NUMPAD 7NUMPAD 8NUMPAD 9MULTIPLYADDSUBTRACTDECIMALDIVIDEF1F2F3F4F5F6F7F8F9F10F11F12LEFT MOUSERIGHT MOUSECANCELMIDDLE MOUSEMOUSE 5MOUSE 4BACKSPACETABCLEARENTERSHIFTCONTROLALTPAUSECAPSESCAPESPACEPAGE UPPAGE DOWNENDHOMELEFTUPRIGHTDOWNPRINTINSERTDELETE01234567
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Binary or memory string: WINDBG.EXE
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Binary or memory string: FIDDLER.EXE
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Binary or memory string: IDAQ.EXE
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Binary or memory string: WIRESHARK.EXE
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe	Binary or memory string: FILEMON.EXE

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe

Binary or memory string: DbgviewClassprotection_ididaqidaq64ida64ida32syserlordpecaptainhookhooksharkfakenetwindsocktcpviewwinhexfilemonregmonsofticevmwarevirtualboxwineqemubochscodeveinresourcehackerreshackerBluestacksAnti-debugging testntdll.dllNtQueryInformationProcess\\.\CEDRIVER72\\.\x64dbgntdll.dllNtRaiseHardErrorBSOD triggered successfully.

Anti Debugging

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: 0_2_00007FF764B52798 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF764B52798

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: 0_2_00007FF764B52798 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF764B52798

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: 0_2_00007FF764B1B940 GetModuleHandleA,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,

0_2_00007FF764B1B940

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: 0_2_00007FF764B067D0 GetProcessHeap,

0_2_00007FF764B067D0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B522D8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00007FF764B522D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B5247C SetUnhandledExceptionFilter,		0_2_00007FF764B5247C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe	Code function: 0_2_00007FF764B52020 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF764B52020

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: 0_2_00007FF764AE765C mouse_event,

0_2_00007FF764AE765C

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.8697.17037.exe

Code function: 0_2_00007FF764B52528 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF764B52528

Lowering of HIPS / PFW / Operating System Security Settings

Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe, SecuriteInfo.com.FileRepMalware.8697.17037.exe, 00000000.00000000.1652411390.00007FF764B56000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.8697.17037.exe, 00000000.00000002.2913738861.00007FF764B57000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procmon.exe
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe, SecuriteInfo.com.FileRepMalware.8697.17037.exe, 00000000.00000000.1652411390.00007FF764B56000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.8697.17037.exe, 00000000.00000002.2913738861.00007FF764B57000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OLLYDBG.exe
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe, SecuriteInfo.com.FileRepMalware.8697.17037.exe, 00000000.00000000.1652411390.00007FF764B56000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.8697.17037.exe, 00000000.00000002.2913738861.00007FF764B57000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wireshark.exe
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe, SecuriteInfo.com.FileRepMalware.8697.17037.exe, 00000000.00000000.1652411390.00007FF764B56000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.8697.17037.exe, 00000000.00000002.2913738861.00007FF764B57000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe, SecuriteInfo.com.FileRepMalware.8697.17037.exe, 00000000.00000000.1652411390.00007FF764B56000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.8697.17037.exe, 00000000.00000002.2913738861.00007FF764B57000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: LordPE.exe
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe, SecuriteInfo.com.FileRepMalware.8697.17037.exe, 00000000.00000000.1652411390.00007FF764B56000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.8697.17037.exe, 00000000.00000002.2913738861.00007FF764B57000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Tcpview.exe
Source: SecuriteInfo.com.FileRepMalware.8697.17037.exe, SecuriteInfo.com.FileRepMalware.8697.17037.exe, 00000000.00000000.1652411390.00007FF764B56000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.8697.17037.exe, 00000000.00000002.2913738861.00007FF764B57000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: regmon.exe