Windows Analysis Report
SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe
Analysis ID: 1521676
MD5: 3674835c0c82ee1f923b55574318e79d
SHA1: 12a29e3f9c2660f579d8cba90fdbccb88c8caab5
SHA256: efd1d58d3d6994e5c1b908368d6780b7afab279bbfc71222ff4008236dd2a6d7
Tags: exe
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Tries to detect debuggers (CloseHandle check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe ReversingLabs: Detection: 42%
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Virustotal: Detection: 47% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.4% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Joe Sandbox ML: detected
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\A\34\b\bin\amd64\_sqlite3.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4687655448.00007FFDA3A8B000.00000002.00000001.01000000.0000001B.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\python39.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4684451044.00007FFD94659000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\select.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4688506089.00007FFDA5494000.00000002.00000001.01000000.00000009.sdmp, select.pyd.0.dr
Source: Binary string: C:\A\34\b\bin\amd64\_lzma.pdbMM source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4686897906.00007FFDA332D000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_bz2.pdb source: svchost.exe, 00000002.00000002.4688035561.00007FFDA416F000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-mijilod8\src\rust\target\release\deps\cryptography_rust.pdbo source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4683233764.00007FFD93D09000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\sqlite3.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4682410994.00007FFD93548000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: k1k2k3X9_62_PENTANOMIALp.otherp.onBasisp.tpBasisp.ppBasismX9_62_CHARACTERISTIC_TWOp.primep.char_twofieldTypeX9_62_FIELDIDabX9_62_CURVEfieldIDcurvebaseordercofactorECPARAMETERSvalue.named_curvevalue.parametersvalue.implicitlyCAECPKPARAMETERSprivateKeyparameterspublicKeyEC_PRIVATEKEYec_asn1_group2fieldidcrypto\ec\ec_asn1.cec_asn1_group2curveEC_GROUP_get_ecparametersEC_GROUP_get_ecpkparametersEC_GROUP_new_from_ecparametersEC_GROUP_new_from_ecpkparametersi2d_ECPKParametersd2i_ECPrivateKeyi2d_ECPrivateKeyi2d_ECParametersd2i_ECParameterso2i_ECPublicKeyi2o_ECPublicKeyossl_ec_group_new_excrypto\ec\ec_lib.cEC_GROUP_copyEC_GROUP_set_generatorEC_GROUP_set_curveEC_GROUP_get_curveEC_GROUP_get_degreeEC_GROUP_check_discriminantEC_POINT_newEC_POINT_copyEC_POINT_set_to_infinityEC_POINT_set_Jprojective_coordinates_GFpEC_POINT_set_affine_coordinatesEC_POINT_get_affine_coordinatesEC_POINT_addEC_POINT_dblEC_POINT_invertEC_POINT_is_at_infinityEC_POINT_is_on_curveEC_POINT_cmpEC_POINT_mulEC_GROUP_get_trinomial_basisEC_GROUP_get_pentanomial_basisgroup_new_from_nameossl_ec_group_set_paramsencodingdecoded-from-explicitEC_GROUP_new_from_paramsgeneratorcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.2.1built on: Fri May 3 00:14:50 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4683233764.00007FFD93D09000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_hashlib.pdb source: svchost.exe, 00000002.00000002.4688128846.00007FFDA4338000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\A\6\b\libssl-1_1.pdb?? source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4687352279.00007FFDA3474000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-mijilod8\src\rust\target\release\deps\cryptography_rust.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4683233764.00007FFD93D09000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFCE7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4684039906.00007FFD94228000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_socket.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4688416581.00007FFDA5469000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_ctypes.pdb source: svchost.exe, 00000002.00000002.4685395414.00007FFD9DED2000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_lzma.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4686897906.00007FFDA332D000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_asyncio.pdb source: svchost.exe, 00000002.00000002.4687751049.00007FFDA3AE7000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\python3.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4688200266.00007FFDA4632000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4683233764.00007FFD93D09000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\pyexpat.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_ssl.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4687507904.00007FFDA34BD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\A\6\b\libcrypto-1_1.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFD68000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4688595137.00007FFDA54F1000.00000002.00000001.01000000.00000007.sdmp, vcruntime140.dll.0.dr
Source: Binary string: C:\A\34\b\bin\amd64\_overlapped.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4687934699.00007FFDA3FD6000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4683233764.00007FFD93D09000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_multiprocessing.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1k 25 Mar 2021built on: Tue Apr 6 11:26:02 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-1_1"not available source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFCE7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4684039906.00007FFD94228000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: C:\A\6\b\libssl-1_1.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4687352279.00007FFDA3474000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_queue.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4688327013.00007FFDA4DA3000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\unicodedata.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4683534464.00007FFD93FCB000.00000002.00000001.01000000.00000012.sdmp
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE4480 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte, 2_2_00007FFD93FE4480

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Network Connect: 104.26.3.16 443 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Network Connect: 172.67.75.40 443 Jump to behavior
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: rentry.co
Source: unknown DNS query: name: rentry.co
Source: unknown DNS query: name: rentry.co
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.3.16 104.26.3.16
Source: Joe Sandbox View IP Address: 172.67.75.40 172.67.75.40
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: rentry.co
Source: svchost.exe, 00000002.00000002.4676778704.000001A6B8040000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.../back.jpeg
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4678290201.000001A6B8A16000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4677342630.000001A6B83B8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4676285932.000001A6B6EC2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4677410902.000001A6B83EE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4677041306.000001A6B820B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://blog.cryptographyusering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: svchost.exe, 00000002.00000002.4677529532.000001A6B84A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://bugs.python.org/issue23606)
Source: svchost.exe, 00000002.00000002.4677529532.000001A6B84A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://bugs.python.org/issue23606)H
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: svchost.exe, 00000002.00000002.4677564047.000001A6B84E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cffi.readthedocs.io/en/latest/cdef.html#ffi-cdef-limitations
Source: svchost.exe, 00000002.00000002.4677020457.000001A6B8200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4676383590.000001A6B6EE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: svchost.exe, 00000002.00000002.4676285932.000001A6B6EC2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4675114718.000001A6B4EF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: svchost.exe, 00000002.00000002.4676285932.000001A6B6EC2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4676582300.000001A6B6F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: svchost.exe, 00000002.00000002.4677020457.000001A6B8200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4676383590.000001A6B6EE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: svchost.exe, 00000002.00000002.4676582300.000001A6B6F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: svchost.exe, 00000002.00000002.4674909206.000001A6B4E4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: svchost.exe, 00000002.00000002.4676582300.000001A6B6F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: svchost.exe, 00000002.00000002.4674909206.000001A6B4E4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000002.00000002.4676383590.000001A6B6EE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: svchost.exe, 00000002.00000002.4676285932.000001A6B6EC2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4678290201.000001A6B8A16000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4677410902.000001A6B83EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4677342630.000001A6B83B8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4677410902.000001A6B83EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4677410902.000001A6B83EE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4677041306.000001A6B820B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4677212084.000001A6B82D8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4678290201.000001A6B8A16000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4680293987.000001A6B8ADE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4677758385.000001A6B87A0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4677791414.000001A6B87E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4677862776.000001A6B8860000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4677041306.000001A6B820B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4676049376.000001A6B6D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4676985755.000001A6B81C0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4676985755.000001A6B81C0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4676985755.000001A6B81C0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: svchost.exe, 00000002.00000002.4675246880.000001A6B4F91000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: svchost.exe, 00000002.00000002.4675246880.000001A6B4F91000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/mail/
Source: svchost.exe, 00000002.00000002.4674972129.000001A6B4E9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4675227261.000001A6B4F80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: svchost.exe, 00000002.00000002.4675292522.000001A6B4FC5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4675246880.000001A6B4F91000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4675114718.000001A6B4EF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://json.org
Source: svchost.exe, 00000002.00000002.4675114718.000001A6B4EF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.es
Source: svchost.exe, 00000002.00000002.4676285932.000001A6B6ED6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.es0
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.thawte.com0
Source: svchost.exe, 00000002.00000002.4684451044.00007FFD94659000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: svchost.exe, 00000002.00000002.4676430272.000001A6B6F27000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2289670296.000001A6B6F27000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4674563727.000001A6B46CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/
Source: svchost.exe, 00000002.00000002.4674563727.000001A6B46CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/0=0;
Source: svchost.exe, 00000002.00000002.4674563727.000001A6B46CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateNumbers
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: http://speleotrove.com/decimal/decarith.html
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4676239596.000001A6B6E45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4678054135.000001A6B8A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4677723984.000001A6B8760000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4677928049.000001A6B8920000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4677263825.000001A6B8333000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: svchost.exe, 00000002.00000002.4675910879.000001A6B6BC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4679010125.000001A6B8A3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: svchost.exe, 00000002.00000002.4676285932.000001A6B6ED6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4675114718.000001A6B4EF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: svchost.exe, 00000002.00000002.4676582300.000001A6B6F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: svchost.exe, 00000002.00000002.4676285932.000001A6B6ED6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: svchost.exe, 00000002.00000002.4676582300.000001A6B6F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: svchost.exe, 00000002.00000002.4676285932.000001A6B6ED6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: svchost.exe, 00000002.00000002.4676285932.000001A6B6ED6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4676582300.000001A6B6F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es00
Source: svchost.exe, 00000002.00000002.4676285932.000001A6B6ED6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4676582300.000001A6B6F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: svchost.exe, 00000002.00000002.4676582300.000001A6B6F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/ity
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4675550748.000001A6B5140000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4676285932.000001A6B6EC2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4677410902.000001A6B83EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: svchost.exe, 00000002.00000002.4677723984.000001A6B8760000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.dabeaz.com/ply)
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.dabeaz.com/ply)Fz
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: svchost.exe, 00000002.00000002.4676582300.000001A6B6F9A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4677041306.000001A6B820B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4675227261.000001A6B4F80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4675621632.000001A6B51E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4675550748.000001A6B5140000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4674972129.000001A6B4E8F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.python.org/
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4675427419.000001A6B5080000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4674761990.000001A6B4D40000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: svchost.exe, 00000002.00000002.4674859008.000001A6B4E00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps
Source: svchost.exe, 00000002.00000002.4675114718.000001A6B4EF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4679010125.000001A6B8A3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4674972129.000001A6B4E8F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4680620562.000001A6B8B68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4676190972.000001A6B6E13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wwwsearch.sf.net/):
Source: svchost.exe, svchost.exe, 00000002.00000002.4685868335.00007FFD9F3CC000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: https://cffi.readthedocs.io/en/latest/using.html#callbacks
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://code.google.com/archive/p/casadebender/wikis/Win32IconImagePlugin.wiki
Source: svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4683233764.00007FFD93D09000.00000002.00000001.01000000.00000015.sdmp String found in binary or memory: https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file
Source: svchost.exe, 00000002.00000002.4675735473.000001A6B52A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: svchost.exe, 00000002.00000002.4675227261.000001A6B4F80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: svchost.exe, 00000002.00000002.4676813493.000001A6B8080000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4683233764.00007FFD93D09000.00000002.00000001.01000000.00000015.sdmp String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4683233764.00007FFD93D09000.00000002.00000001.01000000.00000015.sdmp String found in binary or memory: https://github.com/pyca/cryptography/issues/8996
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4683233764.00007FFD93D09000.00000002.00000001.01000000.00000015.sdmp String found in binary or memory: https://github.com/pyca/cryptography/issues/9253
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://github.com/pypa/packagingz
Source: svchost.exe, 00000002.00000002.4677529532.000001A6B84A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/python-pillow/Pillow/
Source: svchost.exe, 00000002.00000002.4675387559.000001A6B5040000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2168
Source: svchost.exe, 00000002.00000002.4675735473.000001A6B52A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: svchost.exe, 00000002.00000002.4674909206.000001A6B4E4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: svchost.exe, 00000002.00000002.4675946343.000001A6B6C10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: svchost.exe, 00000002.00000002.4675387559.000001A6B5040000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/3020
Source: svchost.exe, 00000002.00000002.4675227261.000001A6B4F80000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4674930808.000001A6B4E5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4674536073.000001A6B469A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: svchost.exe, 00000002.00000002.4674930808.000001A6B4E5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4674536073.000001A6B469A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/mail
Source: svchost.exe, 00000002.00000002.4675246880.000001A6B4F91000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/mail/
Source: svchost.exe, 00000002.00000002.4675328115.000001A6B4FEB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: svchost.exe, 00000002.00000002.4675227261.000001A6B4F80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/
Source: svchost.exe, 00000002.00000002.4675114718.000001A6B4EF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/get
Source: svchost.exe, 00000002.00000002.4674536073.000001A6B469A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/post
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4674972129.000001A6B4E8F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mahler:8092/site-updates.py
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4678633652.000001A6B8A28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: svchost.exe, 00000002.00000002.4680785288.000001A6B8C70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4680881830.000001A6B8D00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4674659498.000001A6B4B80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4677791414.000001A6B87E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://rentry.co/icboq6gb/raw
Source: svchost.exe, 00000002.00000002.4676813493.000001A6B8080000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4674536073.000001A6B469A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://requests.readthedocs.io
Source: svchost.exe, 00000002.00000002.4674909206.000001A6B4E4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4677342630.000001A6B83B8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4677410902.000001A6B83EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4676285932.000001A6B6EC2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4677410902.000001A6B83EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: svchost.exe, 00000002.00000002.4675227261.000001A6B4F80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: svchost.exe, 00000002.00000002.4675946343.000001A6B6C10000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: svchost.exe, 00000002.00000002.4676778704.000001A6B8040000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#socks-proxies
Source: svchost.exe, 00000002.00000002.4675876208.000001A6B6B70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://web.archive.org/web/20120328125543/http://www.jpegcameras.com/libjpeg/libjpeg-3.html
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://web.archive.org/web/20170802060935/http://oss.sgi.com/projects/ogl-sample/registry/EXT/textu
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://web.archive.org/web/20240227115053/https://exiv2.org/tags.html)
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.cazabon.com
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.cazabon.com/pyCMS
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDDD000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.ibm.com/
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000002.00000002.4680293987.000001A6B8ADE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.littlecms.com
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.mia.uni-saarland.de/Publications/gwosdek-ssvm11.pdf
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDD3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4687407082.00007FFDA34A9000.00000002.00000001.01000000.0000000B.sdmp, svchost.exe, 00000002.00000002.4684214168.00007FFD9431F000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: https://www.openssl.org/H
Source: svchost.exe, 00000002.00000002.4674536073.000001A6B469A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.python.org/dev/peps/pep-0506/
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BF1C1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2285229250.00007FF61544C000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node4.html
Source: svchost.exe, 00000002.00000002.4676582300.000001A6B6F9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: svchost.exe, 00000002.00000002.4676383590.000001A6B6EE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: svchost.exe, 00000002.00000002.4674930808.000001A6B4E5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4674536073.000001A6B469A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://yahoo.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 50143 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50151 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50127
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown Network traffic detected: HTTP traffic on port 50104 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50122 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50099 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50156 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50099
Source: unknown Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50158 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50124 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49913

System Summary
barindex
PE file contains section with special chars
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Static PE information: section name: .@?F
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Static PE information: section name: .^@{
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD934C83A0 2_2_00007FFD934C83A0
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93481450 2_2_00007FFD93481450
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD934D0440 2_2_00007FFD934D0440
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD934BF3E0 2_2_00007FFD934BF3E0
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9348D2A0 2_2_00007FFD9348D2A0
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD934C2260 2_2_00007FFD934C2260
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93EC12C0 2_2_00007FFD93EC12C0
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93EC1890 2_2_00007FFD93EC1890
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD94218CF0 2_2_00007FFD94218CF0
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE11CC 2_2_00007FFD93FE11CC
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE5BE6 2_2_00007FFD93FE5BE6
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE2996 2_2_00007FFD93FE2996
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE30A8 2_2_00007FFD93FE30A8
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD941115C0 2_2_00007FFD941115C0
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE45D9 2_2_00007FFD93FE45D9
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE2E46 2_2_00007FFD93FE2E46
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE3EF9 2_2_00007FFD93FE3EF9
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE453E 2_2_00007FFD93FE453E
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE734C 2_2_00007FFD93FE734C
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE183E 2_2_00007FFD93FE183E
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE3DE1 2_2_00007FFD93FE3DE1
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE4025 2_2_00007FFD93FE4025
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE5D1C 2_2_00007FFD93FE5D1C
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE3751 2_2_00007FFD93FE3751
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE58A8 2_2_00007FFD93FE58A8
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE71F3 2_2_00007FFD93FE71F3
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE1E88 2_2_00007FFD93FE1E88
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE1C2B 2_2_00007FFD93FE1C2B
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD94005200 2_2_00007FFD94005200
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FFD260 2_2_00007FFD93FFD260
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE24B4 2_2_00007FFD93FE24B4
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE5943 2_2_00007FFD93FE5943
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD94119D90 2_2_00007FFD94119D90
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE49B7 2_2_00007FFD93FE49B7
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE36ED 2_2_00007FFD93FE36ED
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE2E1E 2_2_00007FFD93FE2E1E
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE3774 2_2_00007FFD93FE3774
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE2289 2_2_00007FFD93FE2289
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DA42430 2_2_00007FFD9DA42430
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DA41FD0 2_2_00007FFD9DA41FD0
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DA545D0 2_2_00007FFD9DA545D0
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DA54820 2_2_00007FFD9DA54820
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DB524A0 2_2_00007FFD9DB524A0
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DB529C0 2_2_00007FFD9DB529C0
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DB52EC0 2_2_00007FFD9DB52EC0
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DB53550 2_2_00007FFD9DB53550
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DB51FF0 2_2_00007FFD9DB51FF0
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DB51D80 2_2_00007FFD9DB51D80
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DB61D40 2_2_00007FFD9DB61D40
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DB62110 2_2_00007FFD9DB62110
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DB721C0 2_2_00007FFD9DB721C0
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DB71F10 2_2_00007FFD9DB71F10
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DEC33C0 2_2_00007FFD9DEC33C0
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DF31FA0 2_2_00007FFD9DF31FA0
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DF41F40 2_2_00007FFD9DF41F40
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DF42050 2_2_00007FFD9DF42050
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9E8422D0 2_2_00007FFD9E8422D0
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9E841D40 2_2_00007FFD9E841D40
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9E852160 2_2_00007FFD9E852160
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: String function: 00007FFD93FE1055 appears 321 times
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: String function: 00007FFD93FE5E02 appears 162 times
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: String function: 00007FFD93FE4115 appears 78 times
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: String function: 00007FFD93FE1FD2 appears 50 times
PE file does not import any functions
Source: python3.dll.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibsslH vs SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamepyexpat.pyd. vs SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamepython3.dll. vs SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_multiprocessing.pyd. vs SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_overlapped.pyd. vs SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_queue.pyd. vs SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_sqlite3.pyd. vs SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ssl.pyd. vs SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamepython39.dll. vs SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesqlite3.dll0 vs SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFDD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibcryptoH vs SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/57@3/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4682410994.00007FFD93548000.00000002.00000001.01000000.0000001C.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4682410994.00007FFD93548000.00000002.00000001.01000000.0000001C.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4682410994.00007FFD93548000.00000002.00000001.01000000.0000001C.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4682410994.00007FFD93548000.00000002.00000001.01000000.0000001C.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.4682410994.00007FFD93548000.00000002.00000001.01000000.0000001C.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4682410994.00007FFD93548000.00000002.00000001.01000000.0000001C.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe ReversingLabs: Detection: 42%
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Virustotal: Detection: 47%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Process created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Process created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Section loaded: python39.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Section loaded: libssl-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Section loaded: python3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Section loaded: libffi-7.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Static file information: File size 19781632 > 1048576
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Static PE information: Raw size of .kJU is bigger than: 0x100000 < 0x12dc200
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\A\34\b\bin\amd64\_sqlite3.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4687655448.00007FFDA3A8B000.00000002.00000001.01000000.0000001B.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\python39.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4684451044.00007FFD94659000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\select.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4688506089.00007FFDA5494000.00000002.00000001.01000000.00000009.sdmp, select.pyd.0.dr
Source: Binary string: C:\A\34\b\bin\amd64\_lzma.pdbMM source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4686897906.00007FFDA332D000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_bz2.pdb source: svchost.exe, 00000002.00000002.4688035561.00007FFDA416F000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-mijilod8\src\rust\target\release\deps\cryptography_rust.pdbo source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4683233764.00007FFD93D09000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\sqlite3.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C01F6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4682410994.00007FFD93548000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: k1k2k3X9_62_PENTANOMIALp.otherp.onBasisp.tpBasisp.ppBasismX9_62_CHARACTERISTIC_TWOp.primep.char_twofieldTypeX9_62_FIELDIDabX9_62_CURVEfieldIDcurvebaseordercofactorECPARAMETERSvalue.named_curvevalue.parametersvalue.implicitlyCAECPKPARAMETERSprivateKeyparameterspublicKeyEC_PRIVATEKEYec_asn1_group2fieldidcrypto\ec\ec_asn1.cec_asn1_group2curveEC_GROUP_get_ecparametersEC_GROUP_get_ecpkparametersEC_GROUP_new_from_ecparametersEC_GROUP_new_from_ecpkparametersi2d_ECPKParametersd2i_ECPrivateKeyi2d_ECPrivateKeyi2d_ECParametersd2i_ECParameterso2i_ECPublicKeyi2o_ECPublicKeyossl_ec_group_new_excrypto\ec\ec_lib.cEC_GROUP_copyEC_GROUP_set_generatorEC_GROUP_set_curveEC_GROUP_get_curveEC_GROUP_get_degreeEC_GROUP_check_discriminantEC_POINT_newEC_POINT_copyEC_POINT_set_to_infinityEC_POINT_set_Jprojective_coordinates_GFpEC_POINT_set_affine_coordinatesEC_POINT_get_affine_coordinatesEC_POINT_addEC_POINT_dblEC_POINT_invertEC_POINT_is_at_infinityEC_POINT_is_on_curveEC_POINT_cmpEC_POINT_mulEC_GROUP_get_trinomial_basisEC_GROUP_get_pentanomial_basisgroup_new_from_nameossl_ec_group_set_paramsencodingdecoded-from-explicitEC_GROUP_new_from_paramsgeneratorcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.2.1built on: Fri May 3 00:14:50 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4683233764.00007FFD93D09000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_hashlib.pdb source: svchost.exe, 00000002.00000002.4688128846.00007FFDA4338000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: C:\A\6\b\libssl-1_1.pdb?? source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4687352279.00007FFDA3474000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pip-req-build-mijilod8\src\rust\target\release\deps\cryptography_rust.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4683233764.00007FFD93D09000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFCE7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4684039906.00007FFD94228000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_socket.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4688416581.00007FFDA5469000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_ctypes.pdb source: svchost.exe, 00000002.00000002.4685395414.00007FFD9DED2000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_lzma.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4686897906.00007FFDA332D000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_asyncio.pdb source: svchost.exe, 00000002.00000002.4687751049.00007FFDA3AE7000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\python3.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4688200266.00007FFDA4632000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4683233764.00007FFD93D09000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\pyexpat.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_ssl.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4687507904.00007FFDA34BD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\A\6\b\libcrypto-1_1.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFD68000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a01\_work\26\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4688595137.00007FFDA54F1000.00000002.00000001.01000000.00000007.sdmp, vcruntime140.dll.0.dr
Source: Binary string: C:\A\34\b\bin\amd64\_overlapped.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4687934699.00007FFDA3FD6000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4683233764.00007FFD93D09000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_multiprocessing.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1k 25 Mar 2021built on: Tue Apr 6 11:26:02 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-1_1"not available source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFCE7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4684039906.00007FFD94228000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: C:\A\6\b\libssl-1_1.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFE59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4687352279.00007FFDA3474000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\_queue.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9BFA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4688327013.00007FFDA4DA3000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: C:\A\34\b\bin\amd64\unicodedata.pdb source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0597000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4683534464.00007FFD93FCB000.00000002.00000001.01000000.00000012.sdmp
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .kJU
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Static PE information: section name: .@?F
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Static PE information: section name: .^@{
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Static PE information: section name: .kJU
Source: libcrypto-1_1.dll.0.dr Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr Static PE information: section name: .00cfg
Source: vcruntime140.dll.0.dr Static PE information: section name: _RDATA

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\zstandard\backend_c.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_ofb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\zstandard\_cffi.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_cbc.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_aesni.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\charset_normalizer\md__mypyc.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\PIL\_imagingcms.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\PIL\_webp.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_multiprocessing.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_sqlite3.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\charset_normalizer\md.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\PIL\_imaging.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_SHA384.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_SHA256.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Protocol\_scrypt.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Util\_cpuid_c.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\PIL\_imagingmath.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\python3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_SHA512.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\libffi-7.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_ecb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_ghash_clmul.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_eksblowfish.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_cfb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_SHA224.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_aes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_BLAKE2s.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\cryptography\hazmat\bindings\_rust.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_ocb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_SHA1.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\python39.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_cffi_backend.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_ctr.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Util\_strxor.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_Salsa20.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_ghash_portable.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_overlapped.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_keccak.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_asyncio.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe File created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_MD5.pyd Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Memory written: PID: 3916 base: 7FFDB4590008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Memory written: PID: 3916 base: 7FFDB442D9F0 value: E9 20 26 16 00 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Memory written: PID: 3916 base: 7FFDB45A000D value: E9 BB CB EB FF Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Memory written: PID: 3916 base: 7FFDB445CBC0 value: E9 5A 34 14 00 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Memory written: PID: 3916 base: 7FFDB45B0005 value: E9 CB 05 E5 FF Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Memory written: PID: 3916 base: 7FFDB44005D0 value: E9 3A FA 1A 00 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Memory written: PID: 3916 base: 7FFDB45C0005 value: E9 9B 07 DF FF Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Memory written: PID: 3916 base: 7FFDB43B07A0 value: E9 6A F8 20 00 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Memory written: PID: 3916 base: 7FFDB4350007 value: E9 AB 11 E8 FF Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Memory written: PID: 3916 base: 7FFDB41D11B0 value: E9 5E EE 17 00 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Memory written: PID: 3916 base: 7FFDB4360006 value: E9 BB 7F E4 FF Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Memory written: PID: 3916 base: 7FFDB41A7FC0 value: E9 4C 80 1B 00 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Memory written: PID: 3916 base: 7FFDB1F80007 value: E9 CB E3 E3 FF Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Memory written: PID: 3916 base: 7FFDB1DBE3D0 value: E9 3E 1C 1C 00 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Memory written: PID: 3916 base: 7FFDB1F90006 value: E9 AB 4D D3 FF Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Memory written: PID: 3916 base: 7FFDB1CC4DB0 value: E9 5C B2 2C 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe RDTSC instruction interceptor: First address: 7FF7A0389E25 second address: 7FF7A0389E42 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 push eax 0x00000004 dec eax 0x00000005 arpl cx, ax 0x00000007 inc cx 0x00000009 cmovle edx, ebp 0x0000000c inc ecx 0x0000000d push esp 0x0000000e cdq 0x0000000f dec esp 0x00000010 movsx ebx, bx 0x00000013 dec ecx 0x00000014 movzx ebp, bx 0x00000017 inc ecx 0x00000018 push edi 0x00000019 bswap dx 0x0000001c push ecx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe RDTSC instruction interceptor: First address: 7FF7A0389E42 second address: 7FF7A0389E4D instructions: 0x00000000 rdtsc 0x00000002 cdq 0x00000003 inc ecx 0x00000004 push ecx 0x00000005 push edi 0x00000006 inc cx 0x00000008 movzx edi, bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe RDTSC instruction interceptor: First address: 7FF79F0CACD3 second address: 7FF79F0CACF0 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 push eax 0x00000004 dec eax 0x00000005 arpl cx, ax 0x00000007 inc cx 0x00000009 cmovle edx, ebp 0x0000000c inc ecx 0x0000000d push esp 0x0000000e cdq 0x0000000f dec esp 0x00000010 movsx ebx, bx 0x00000013 dec ecx 0x00000014 movzx ebp, bx 0x00000017 inc ecx 0x00000018 push edi 0x00000019 bswap dx 0x0000001c push ecx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe RDTSC instruction interceptor: First address: 7FF79F0CACF0 second address: 7FF79F0CACFB instructions: 0x00000000 rdtsc 0x00000002 cdq 0x00000003 inc ecx 0x00000004 push ecx 0x00000005 push edi 0x00000006 inc cx 0x00000008 movzx edi, bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe RDTSC instruction interceptor: First address: 7FF79F141EDA second address: 7FF79F141EF9 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop ebp 0x00000004 inc bp 0x00000006 adc edx, edx 0x00000008 dec eax 0x00000009 bswap edx 0x0000000b dec eax 0x0000000c arpl cx, bp 0x0000000e inc ecx 0x0000000f pop edx 0x00000010 inc eax 0x00000011 or dh, FFFFFFF1h 0x00000014 ror ch, FFFFFF88h 0x00000017 inc bp 0x00000019 movzx esp, dh 0x0000001c popfd 0x0000001d cbw 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe RDTSC instruction interceptor: First address: 7FF79F141EF9 second address: 7FF79F1427F6 instructions: 0x00000000 rdtsc 0x00000002 pop edi 0x00000003 inc eax 0x00000004 setnbe ch 0x00000007 cwde 0x00000008 dec ecx 0x00000009 arpl ax, dx 0x0000000b inc ecx 0x0000000c pop ecx 0x0000000d pop ecx 0x0000000e dec ecx 0x0000000f mov edi, 1E784F79h 0x00000015 inc ecx 0x00000016 pop edi 0x00000017 jmp 00007F94BCDB85D5h 0x0000001c inc ecx 0x0000001d pop esp 0x0000001e setne dl 0x00000021 dec eax 0x00000022 movzx edx, si 0x00000025 dec eax 0x00000026 cwde 0x00000027 inc ecx 0x00000028 pop eax 0x00000029 bswap ax 0x0000002c cmovp esi, esp 0x0000002f dec eax 0x00000030 arpl di, ax 0x00000032 pop ebx 0x00000033 pop ebp 0x00000034 pop esi 0x00000035 not al 0x00000037 inc ecx 0x00000038 pop esi 0x00000039 cwd 0x0000003b inc ecx 0x0000003c pop ebx 0x0000003d rdtsc
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Special instruction interceptor: First address: 7FF7A0343E2F instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Special instruction interceptor: First address: 7FF7A0343E3E instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE6514 rdtsc 2_2_00007FFD93FE6514
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Window / User API: threadDelayed 6196 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Window / User API: threadDelayed 3712 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\zstandard\backend_c.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\zstandard\_cffi.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_ofb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_cbc.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_aesni.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\charset_normalizer\md__mypyc.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\PIL\_imagingcms.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\PIL\_webp.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_multiprocessing.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\charset_normalizer\md.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_sqlite3.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\PIL\_imaging.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_SHA384.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_SHA256.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Protocol\_scrypt.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\PIL\_imagingmath.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Util\_cpuid_c.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_SHA512.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_ecb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_ghash_clmul.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_eksblowfish.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_cfb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_SHA224.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_aes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_BLAKE2s.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\cryptography\hazmat\bindings\_rust.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_ocb.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_SHA1.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_ctr.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_cffi_backend.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Util\_strxor.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_Salsa20.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_ghash_portable.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_overlapped.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_keccak.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\_asyncio.pyd Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_MD5.pyd Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe API coverage: 3.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe TID: 4388 Thread sleep count: 6196 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe TID: 4388 Thread sleep time: -6196000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe TID: 4388 Thread sleep count: 3712 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe TID: 4388 Thread sleep time: -3712000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE4480 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte, 2_2_00007FFD93FE4480
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DED097C GetSystemInfo,VirtualAlloc, 2_2_00007FFD9DED097C
Source: SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe, 00000000.00000003.2271006717.000001C9C0800000.00000004.00000020.00020000.00000000.sdmp, cacert.pem.0.dr Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: cacert.pem.0.dr Binary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd
Source: svchost.exe, 00000002.00000002.4675114718.000001A6B4EF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE6514 2_2_00007FFD93FE6514
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE63D4 2_2_00007FFD93FE63D4
Tries to detect debuggers (CloseHandle check)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Handle closed: DEADC0DE
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE6514 rdtsc 2_2_00007FFD93FE6514
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93EC3314 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFD93EC3314
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93EC3314 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFD93EC3314
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93EC2998 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFD93EC2998
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93EC34FC SetUnhandledExceptionFilter, 2_2_00007FFD93EC34FC
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DA41390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFD9DA41390
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DA41960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFD9DA41960
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DA51390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFD9DA51390
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DA51960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFD9DA51960
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DB51960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFD9DB51960
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DB51390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFD9DB51390
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DB61960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFD9DB61960
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DB61390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFD9DB61390
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DB71960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFD9DB71960
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DB71390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFD9DB71390
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DEB1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFD9DEB1390
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DEB1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFD9DEB1960
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DEC6930 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFD9DEC6930
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DEC5FD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFD9DEC5FD8
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DEC6B18 SetUnhandledExceptionFilter, 2_2_00007FFD9DEC6B18
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DF31960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFD9DF31960
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DF31390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFD9DF31390
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DF41960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFD9DF41960
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DF41390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFD9DF41390
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9E841960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFD9E841960
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9E841390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFD9E841390
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9E851960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFD9E851960
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9E851390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFD9E851390
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9F3CB828 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFD9F3CB828

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Network Connect: 104.26.3.16 443 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Network Connect: 172.67.75.40 443 Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe NtProtectVirtualMemory: Direct from: 0x7FF7A048EDE4 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe NtMapViewOfSection: Direct from: 0x7FF7A048EDC1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe NtQuerySystemInformation: Direct from: 0x7FF7A048EE4A Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe NtProtectVirtualMemory: Indirect: 0x7FF79F1A46B8 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe NtQuerySystemInformation: Direct from: 0x7FF7A048EE34 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe NtClose: Direct from: 0x7FF7A048ED98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe NtQuerySystemInformation: Direct from: 0x7FF7A048EE53 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe NtSetInformationThread: Direct from: 0x7FF7A048EE64 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe NtQueryInformationProcess: Direct from: 0x7FF7A048ED89 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe NtQueryInformationProcess: Direct from: 0x7FF7A048ED5B Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe Process created: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD9DEB1D40 cpuid 2_2_00007FFD9DEB1D40
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\certifi\cacert.pem VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_ecb.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_cbc.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_cfb.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_ofb.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_ctr.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Util\_strxor.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_BLAKE2s.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_SHA1.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_SHA256.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_Salsa20.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Protocol\_scrypt.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Util\_cpuid_c.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_ghash_portable.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Hash\_ghash_clmul.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_ocb.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_aes.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\Crypto\Cipher\_raw_aesni.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93CF24F8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_00007FFD93CF24F8
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\onefile_3916_133720417332478140\svchost.exe Code function: 2_2_00007FFD93FE5DCB bind,WSAGetLastError, 2_2_00007FFD93FE5DCB
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1521676 Sample: SecuriteInfo.com.Win64.Troj... Startdate: 29/09/2024 Architecture: WINDOWS Score: 100 23 rentry.co 2->23 29 Antivirus / Scanner detection for submitted sample 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Machine Learning detection for sample 2->33 37 4 other signatures 2->37 7 SecuriteInfo.com.Win64.TrojanX-gen.20834.9882.exe 74 2->7         started        signatures3 35 Connects to a pastebin service (likely for C&C) 23->35 process4 file5 15 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 7->15 dropped 17 C:\Users\user\AppData\Local\...\backend_c.pyd, PE32+ 7->17 dropped 19 C:\Users\user\AppData\Local\...\_cffi.pyd, PE32+ 7->19 dropped 21 53 other files (none is malicious) 7->21 dropped 39 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->39 41 Query firmware table information (likely to detect VMs) 7->41 43 Tries to evade analysis by execution special instruction (VM detection) 7->43 45 5 other signatures 7->45 11 svchost.exe 7->11         started        signatures6 process7 dnsIp8 25 104.26.3.16, 443, 50064, 50065 CLOUDFLARENETUS United States 11->25 27 rentry.co 172.67.75.40, 443, 49713, 49714 CLOUDFLARENETUS United States 11->27 47 System process connects to network (likely due to code injection or exploit) 11->47 49 Potentially malicious time measurement code found 11->49 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.3.16
 unknown United States
13335 CLOUDFLARENETUS true
172.67.75.40
 rentry.co United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
rentry.co 172.67.75.40 true