Windows Analysis Report
SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
Analysis ID:	1501345
MD5:	88783a57777926114b5c5c95af4c943c
SHA1:	6f57492bd78ebc3c3900919e08e039fbc032268a
SHA256:	94132d9dde2b730f4800ee383ddaa63d2e2f92264f07218295d2c5755a414b6a
Tags:	exe
Infos:

Detection

Score:	42
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to query network adapater information

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 84.9% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Static PE information: certificate valid

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /pc_game_ly.php?lm=9377ly&rnd=960.9796 HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: client.9377.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: client.9377.com
Source: global traffic	DNS traffic detected: DNS query: www.y2126.com

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.9377.com/api/ly_client_button.php?
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000058C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bbs.9377.com/forum-277-1.html
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000058C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2690956172.0000000000191000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2696024851.00000000043D8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.0000000000612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796$
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796...terfaced=960.979688.com/pay/recharge?
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000058C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796Zt
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.0000000000612000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796d
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000058C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796ju
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796kcl
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=Rhttp://www.9377.com/pay_index.php?game=lyHhttp://bbs.9377.
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ly.9377.com/
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	String found in binary or memory: http://w.w3.
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1188.com/guanwang/ly
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1188.com/pay/recharge?gid=
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1188.com/pay/recharge?gid=5
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1188.com/pay/recharge?gid=5&server=
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	String found in binary or memory: http://www.9377.com/kefu.html
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.0000000000584000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.9377.com/kefu.html)F
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.9377.com/pay_index.php?game=ly
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.y2126.com/
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.y2126.com/9377ly.asp?short=1&t=
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.y2126.com/9377ly.asp?short=1&t=17.40229&id=004F0049004D004D0082008F0092005B00590043005C00
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.y2126.com/9377ly.asp?short=1&t=17.40229rt
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.0000000000612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.y2126.com/ckground_gradient.jpgjqW
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comt

PE file contains executable resources (Code or Archives)

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Static PE information: Resource name: IMG type: DOS executable (COM)

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000000.1439677149.0000000000513000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelh15_ly.exe vs SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691849808.0000000000513000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelh15_ly.exe vs SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Binary or memory string: OriginalFilenamelh15_ly.exe vs SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal42.winEXE@1/10@3/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\http_400_webOC[1]

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DFDBEA2E7E2544A31B.TMP

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: vb6chs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: vb6chs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dhcpcsvc.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Static PE information: certificate valid

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Code function: 0_2_004015E8 pushad ; retf		0_2_004015E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Code function: 0_2_0046525E pushad ; iretd		0_2_00465266

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Memory allocated: 43B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Memory allocated: 52C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Memory allocated: 5440000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Memory allocated: 54C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Memory allocated: 9840000 memory reserve \| memory write watch	Jump to behavior

Contains functionality to query network adapater information

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		0_2_004A1840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Code function: GetAdaptersInfo,		0_2_0046AA0C

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW A
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWE
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Shell_TrayWnd

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
120.76.203.28	traefik.sz.ali.pool.9377.com	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

Contacted Domains

Name	IP	Active
traefik.sz.ali.pool.9377.com	120.76.203.28	true
www.y2126.com	unknown	unknown
client.9377.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796	false	Avira URL Cloud: safe	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 84.9% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Static PE information: certificate valid

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: client.9377.com
Source: global traffic	DNS traffic detected: DNS query: www.y2126.com

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.9377.com/api/ly_client_button.php?
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000058C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bbs.9377.com/forum-277-1.html
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000058C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2690956172.0000000000191000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2696024851.00000000043D8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.0000000000612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796$
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796...terfaced=960.979688.com/pay/recharge?
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000058C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796Zt
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.0000000000612000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796d
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000058C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796ju
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=9377ly&rnd=960.9796kcl
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://client.9377.com/pc_game_ly.php?lm=Rhttp://www.9377.com/pay_index.php?game=lyHhttp://bbs.9377.
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ly.9377.com/
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	String found in binary or memory: http://w.w3.
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1188.com/guanwang/ly
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1188.com/pay/recharge?gid=
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1188.com/pay/recharge?gid=5
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1188.com/pay/recharge?gid=5&server=
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	String found in binary or memory: http://www.9377.com/kefu.html
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.0000000000584000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.9377.com/kefu.html)F
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.9377.com/pay_index.php?game=ly
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003BB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.y2126.com/
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.y2126.com/9377ly.asp?short=1&t=
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.y2126.com/9377ly.asp?short=1&t=17.40229&id=004F0049004D004D0082008F0092005B00590043005C00
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.000000000059D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.y2126.com/9377ly.asp?short=1&t=17.40229rt
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691931688.0000000000612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.y2126.com/ckground_gradient.jpgjqW
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comt

PE file contains executable resources (Code or Archives)

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Static PE information: Resource name: IMG type: DOS executable (COM)

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000000.1439677149.0000000000513000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelh15_ly.exe vs SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691849808.0000000000513000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelh15_ly.exe vs SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Binary or memory string: OriginalFilenamelh15_ly.exe vs SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal42.winEXE@1/10@3/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\http_400_webOC[1]

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DFDBEA2E7E2544A31B.TMP

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: vb6chs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: vb6chs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Section loaded: dhcpcsvc.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Static PE information: certificate valid

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Code function: 0_2_004015E8 pushad ; retf		0_2_004015E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Code function: 0_2_0046525E pushad ; iretd		0_2_00465266

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Memory allocated: 43B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Memory allocated: 52C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Memory allocated: 5440000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Memory allocated: 54C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Memory allocated: 9840000 memory reserve \| memory write watch	Jump to behavior

Contains functionality to query network adapater information

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		0_2_004A1840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Code function: GetAdaptersInfo,		0_2_0046AA0C

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW A
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWE
Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2694154198.0000000003B4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe, 00000000.00000002.2691138467.0000000000401000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Shell_TrayWnd

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior

ID:	1501345
Product:	CloudBasic
Start time:	19:23:22
Start date:	29.08.2024
Sample:	SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	88783a57777926114b5c5c95af4c943c
SHA1:	6f57492bd78ebc3c3900919e08e039fbc032268a
SHA256:	94132d9dde2b730f4800ee383ddaa63d2e2f92264f07218295d2c5755a414b6a
Filetype:	Win32 Executable (generic) a (10002005/4) 99.39%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT	data	0392ADA071EB68355BED625D8F9695F3	777253141235B6C6AC92E17E297A1482E82252CC	B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, components 3	20F0110ED5E4E0D5384A496E4880139B	51F5FC61D8BF19100DF0F8AADAA57FCD9C086255	1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\httpErrorPagesScripts[1]	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\http_400_webOC[1]	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	05BF9126C766F2136B6FB1CEC93EF98D	FF25A19853A8F675B9A065933DD2503CFA623597	4F3F545A25EE10E5269615794C9E17B84604A4C6AAE55286189599D4E188A639
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	5565250FCC163AA3A79F0B746416CE69	B97CC66471FCDEE07D0EE36C7FB03F342C231F8F	51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\errorPageStrings[1]	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	387B4FC78ABB97F378C5299D4D2CE305	6F2995FC620AB520C9EE1CA7244DF57367F983A2	030209A13E2C84118139ABF0C4F08DBD203B4C802C7B73B74851860D79DF9CB7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\ErrorPageTemplate[1]	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	F4FE1CB77E758E1BA56B8A8EC20417C5	F4EDA06901EDB98633A686B11D02F4925F827BF0	8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	26F971D87CA00E23BD2D064524AEF838	7440BEFF2F4F8FABC9315608A13BF26CABAD27D9	1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
C:\Users\user\AppData\Local\Temp\~DFDBEA2E7E2544A31B.TMP	Composite Document File V2 Document, Cannot read section info	24FFAD9ADE1AF846F2CB61BE68E85F36	4FBCC86453BC0FE296A44CA8DD3E1440C97FCF3F	5D50F2138DCAA6F83F9A7D4880A8DBA514F84AC880EAA2E69D82309206F6AAFD

Windows Analysis Report
SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Trojan.SuspectCRC.5391.13115.exe