Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
Analysis ID:	1546652
MD5:	250d2a344e15b3c55fd1d59afcf0b1da
SHA1:	1be4fbfb1b39e225fb1b82e73aaa609c734cb8a5
SHA256:	2852cbcdd8ae60e9761f3cd78aaeb84a7c038e1b692800af33003d04d0b7594b
Tags:	exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Allocates memory with a write watch (potentially for evading sandboxes)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe (PID: 2380 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe" MD5: 250D2A344E15B3C55FD1D59AFCF0B1DA)

cleanup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T11:27:15.087884+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.5	49711	TCP
2024-11-01T11:27:54.091482+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.5	49918	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T11:27:01.380316+0100	2803305	3	Unknown Traffic	192.168.2.5	49706	217.15.164.94	80	TCP

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 01 Nov 2024 10:27:01 GMTServer: Apache/2.4.62 (Debian)Last-Modified: Mon, 21 Oct 2024 10:59:32 GMTETag: "19200-624fa8c262d00"Accept-Ranges: bytesContent-Length: 102912Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 14 34 16 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 3c 01 00 00 54 00 00 00 00 00 00 5e 5a 01 00 00 20 00 00 00 60 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 0c 5a 01 00 4f 00 00 00 00 60 01 00 d4 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 01 00 0c 00 00 00 d4 58 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 3a 01 00 00 20 00 00 00 3c 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d4 51 00 00 00 60 01 00 00 52 00 00 00 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 01 00 00 02 00 00 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 5a 01 00 00 00 00 00 48 00 00 00 02 00 05 00 78 3c 00 00 ac 4b 00 00 03 00 00 00 0a 00 00 06 24 88 00 00 b0 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 03 00 45 00 00 00 00 00 00 00 28 06 00 00 06 28 05 00 00 06 28 1b 00 00 0a 02 fe 06 07 00 00 06 73 1c 00 00 0a 6f 1d 00 00 0a 28 01 00 00 06 26 7e 01 00 00 04 28 1e 00 00 0a 16 9a 6f 1f 00 00 0a 80 01 00 00 04 de 06 73 7c 00 00 06 7a 2a 00 00 00 01 10 00 00 00 00 20 00 1e 3e 00 06 13 00 00 01 06 2a 46 04 6f 20 00 00 0a 74 13 00 00 01 73 7c 00 00 06 7a 13 30 03 00 5c 00 00 00 01 00 00 11 02 28 21 00 00 0a 2c 4e 02 19 17 73 22 00 00 0a 0a 73 23 00 00 0a 06 6f 24 00 00 0a 0b 06 6f 25 00 00 0a 73 26 00 00 0a 0c 16 0d 2b 1c 08 07 09 8f 58 00 00 01 72 01 00 00 70 28 27 00 00 0a 6f 28 00 00 0a 26 09 17 58 0d 09 07 8e 69 32 de 08 6f 1f 00 00 0a 2a 72 07 00 00 70 2a 4a 02 72 09 00 00 70 18 73 29 00 00 0a 28 2a 00 00 0a 2a 4a 73 0b 00 00 06 25 6f 09 00 00 06 6f 2b 00 00 0a 26 2a 1e 02 28 2c 00 00 0a 2a 2e 72 29 00 00 70 80 01 00 00 04 2a 00 00 13 30 03 00 8d 00 00 00 00 00 00 00 02 73 21 00 00 06 7d 04 00 00 04 02 73 2d 00 00 0a 7d 08 00 00 04 02 28 2e 0

Source: global traffic	HTTP traffic detected: GET /update//resources.xml HTTP/1.1Host: 217.15.164.94Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /update/client/cabal.exe HTTP/1.1Host: 217.15.164.94

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 217.15.164.94:80
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:49711
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49918

Source: global traffic

HTTP traffic detected: GET /update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024%2006:26:57 HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 217.15.164.94Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown	TCP traffic detected without corresponding DNS query: 217.15.164.94

Source: global traffic	HTTP traffic detected: GET /update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024%2006:26:57 HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 217.15.164.94Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /update//resources.xml HTTP/1.1Host: 217.15.164.94Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /update/client/cabal.exe HTTP/1.1Host: 217.15.164.94

Source: global traffic

DNS traffic detected: DNS query: s4.gtsystems.hu

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 10:27:00 GMTServer: Apache/2.4.62 (Debian)Content-Length: 275Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 32 31 37 2e 31 35 2e 31 36 34 2e 39 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at 217.15.164.94 Port 80</address></body></html>

Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.00000000035E7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.000000000339E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.000000000356C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://217.15.164.94
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, cabal.exe.0.dr	String found in binary or memory: http://217.15.164.94/update/
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.000000000356C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://217.15.164.94/update//resources.xml
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3297785606.0000000006E5D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3304723175.000000000E9D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://217.15.164.94/update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3297785606.0000000006E19000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3291476331.0000000001493000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3297785606.0000000006E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://217.15.164.94/update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024%2006:26:57
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3291476331.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://217.15.164.94/update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024%2006:26:57652bf5c30805da9
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3297785606.0000000006E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://217.15.164.94/update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024%2006:26:57Sl.R
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3296482121.00000000065B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://217.15.164.94/update//web/kmnkNIANBDUIbudbnIA.phpt=01/11/2024
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://217.15.164.94/update/client/cabal.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.00000000035E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://217.15.164.94/update/client/cabal.exeP
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.000000000356C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://217.15.168
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/update;component/classes/webbrowseroverlaywf/webbrowseroverlay.xaml
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/update;component/classes/webbrowseroverlaywf/webbrowseroverlay.xamld
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3299553534.0000000008602000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.comQ
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/classes/webbrowseroverlaywf/webbrowseroverlay.baml
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/classes/webbrowseroverlaywf/webbrowseroverlay.bamld
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/classes/webbrowseroverlaywf/webbrowseroverlay.xaml
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/classes/webbrowseroverlaywf/webbrowseroverlay.xamld
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003404000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.00000000035CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.000000000339E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.000000000356C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003404000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3296051712.0000000005E8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww.micro
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3297785606.0000000006E19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Code function: 0_2_0329D390

0_2_0329D390

Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3291476331.000000000145E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000000.2025535730.0000000001032000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameupdate.exe: vs SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.00000000036D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecabal.exeB vs SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Binary or memory string: OriginalFilenameupdate.exe: vs SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.winEXE@1/13@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

File created: C:\Users\user\Desktop\main.dat

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

File created: C:\Users\user\AppData\Local\Temp\resources.xml

Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: windowscodecsext.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: icm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Section loaded: msls31.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Static file information: File size 7486464 > 1048576

Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x71e600

Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\MMOParadox Expansion Launcher\update\obj\Release\update.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
Source:	Binary string: D:\MMOParadox Expansion Launcher\cabal\obj\Release\cabal.pdb source: cabal.exe.0.dr
Source:	Binary string: D:\MMOParadox Expansion Launcher\update\obj\Release\update.pdb@ source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
Source:	Binary string: D:\MMOParadox Expansion Launcher\cabal\obj\Release\cabal.pdb4Z source: cabal.exe.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Code function: 0_2_0329127F pushfd ; iretd	0_2_032912B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Code function: 0_2_032912BA pushfd ; iretd	0_2_032912B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Code function: 0_2_032932C2 pushad ; iretd	0_2_032932D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Code function: 0_2_032932D2 pushfd ; iretd	0_2_03293301
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Code function: 0_2_0329B0C1 push eax; retf	0_2_0329B0CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Code function: 0_2_0329378A push esp; retf	0_2_03293799
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Code function: 0_2_0329379A push esp; retf	0_2_03293799

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

File created: C:\Users\user\Desktop\cabal.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Memory allocated: 3250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Memory allocated: 32F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Memory allocated: 52F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Memory allocated: D620000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Window / User API: threadDelayed 2833			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Window / User API: threadDelayed 810			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\cabal.exe

Jump to dropped file

Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3297785606.0000000006E5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW)\
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3297785606.0000000006E5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3291476331.0000000001493000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	13 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	71%	ReversingLabs	Win32.Trojan.Generic
SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	100%	Avira	HEUR/AGEN.1307097
SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\cabal.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\cabal.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.Generic

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
shadowman.dnse.hu	185.6.188.137	true	false		unknown
s4.gtsystems.hu	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://217.15.164.94/update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024%2006:26:57	false		unknown
http://217.15.164.94/update//resources.xml	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://foo/bar/classes/webbrowseroverlaywf/webbrowseroverlay.baml	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://217.15.164.94	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.00000000035E7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.000000000339E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.000000000356C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://fontfabrik.comQ	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3299553534.0000000008602000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://217.15.164.94/update/	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, cabal.exe.0.dr	false		unknown
http://defaultcontainer/update;component/classes/webbrowseroverlaywf/webbrowseroverlay.xamld	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://foo/classes/webbrowseroverlaywf/webbrowseroverlay.xamld	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/soap/encoding/	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003404000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.00000000035CE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://217.15.164.94/update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3297785606.0000000006E5D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3304723175.000000000E9D6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://217.15.164.94/update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024%2006:26:57Sl.R	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3297785606.0000000006E5D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://217.15.164.94/update/client/cabal.exe	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003404000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003698000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://defaultcontainer/update;component/classes/webbrowseroverlaywf/webbrowseroverlay.xaml	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://foo/classes/webbrowseroverlaywf/webbrowseroverlay.xaml	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ww.micro	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3296051712.0000000005E8C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://217.15.168	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.000000000356C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://217.15.164.94/update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024%2006:26:57652bf5c30805da9	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3291476331.0000000001493000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://foo/bar/classes/webbrowseroverlaywf/webbrowseroverlay.bamld	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.000000000339E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.000000000356C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://217.15.164.94/update/client/cabal.exeP	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.00000000035E7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://217.15.164.94/update//web/kmnkNIANBDUIbudbnIA.phpt=01/11/2024	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3296482121.00000000065B9000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
217.15.164.94	unknown	European Union		12389	ROSTELECOM-ASRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546652
Start date and time:	2024-11-01 11:26:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
Detection:	MAL
Classification:	mal76.winEXE@1/13@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 21 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Simulations

Behavior and APIs

Time	Type	Description
06:26:59	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
shadowman.dnse.hu	SecuriteInfo.com.Win32.TrojanX-gen.28573.1762.exe	Get hash	malicious	Unknown	Browse	185.6.188.137
	file.exe	Get hash	malicious	Unknown	Browse	185.6.188.137
	o1t2MRtxhU.exe	Get hash	malicious	Unknown	Browse	185.6.188.137

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROSTELECOM-ASRU	wZU2edEGL3.elf	Get hash	malicious	Unknown	Browse	95.70.22.105
	SuNMTBkfPo.elf	Get hash	malicious	Unknown	Browse	2.63.123.223
	8v2IShmMos.elf	Get hash	malicious	Unknown	Browse	178.185.114.235
	belks.arm7.elf	Get hash	malicious	Mirai	Browse	95.81.253.222
	belks.mips.elf	Get hash	malicious	Mirai	Browse	31.162.185.100
	belks.mpsl.elf	Get hash	malicious	Mirai	Browse	95.54.216.165
	belks.sh4.elf	Get hash	malicious	Mirai	Browse	31.163.227.20
	belks.ppc.elf	Get hash	malicious	Mirai	Browse	31.163.227.37
	belks.spc.elf	Get hash	malicious	Mirai	Browse	94.31.136.136
	belks.x86.elf	Get hash	malicious	Mirai	Browse	31.163.227.36

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
File Type:	data
Category:	dropped
Size (bytes):	49120
Entropy (8bit):	0.0017331682157558962
Encrypted:	false
SSDEEP:	3:Ztt:T
MD5:	0392ADA071EB68355BED625D8F9695F3
SHA1:	777253141235B6C6AC92E17E297A1482E82252CC
SHA-256:	B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
SHA-512:	EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\down[1]

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	748
Entropy (8bit):	7.249606135668305
Encrypted:	false
SSDEEP:	12:6v/7/2QeZ7HVJ6o6yiq1p4tSQfAVFcm6R2HkZuU4fB4CsY4NJlrvMezoW2uONroc:GeZ6oLiqkbDuU4fqzTrvMeBBlE
MD5:	C4F558C4C8B56858F15C09037CD6625A
SHA1:	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
SHA-256:	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
SHA-512:	D60353D3FBEA2992D96795BA30B20727B022B9164B2094B922921D33CA7CE1634713693AC191F8F5708954544F7648F4840BCD5B62CB6A032EF292A8B0E52A44
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...............ex....PLTE....W..W..W..W..W..W..W..W..W..W..W..W..W.U..............W..W.!Y.#Z.$\.'].<r.=s.P..Q..Q..U..o..p..r..x..z..~.............................................b.............................................................................................................................................................................................................$..s...7tRNS.a.o(,.s....e......q*...................................F.Z....IDATx^%.S..@.C..jm.mTk...m.?\|;.y..S....F.t...,.......D.>..LpX=f.M...H4........=...=..xy.[h..7....7.....<.q.kH....#+....I..z.....'.ksC...X<.+..J>....%3BmqaV...h..Z._.:<.Y_jG...vN^.<>.Nu.u@.....M....?...1D.m~)s8..&....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\errorPageStrings[1]

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4722
Entropy (8bit):	5.16192639844512
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g5O8b7A9I5:JsUOG1yNlX6ZzWpHOo/iP16CbM1k
MD5:	387B4FC78ABB97F378C5299D4D2CE305
SHA1:	6F2995FC620AB520C9EE1CA7244DF57367F983A2
SHA-256:	030209A13E2C84118139ABF0C4F08DBD203B4C802C7B73B74851860D79DF9CB7
SHA-512:	592D5E3FB7C78420F648281D87B0B303773749B8E0D3621A493ACAE257E2C1E77B782F3D6DAA0C2B3D37CBB4865B382617AF744E34F66C0F3E522DBCA7D71AAE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\ErrorPageTemplate[1]

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2168
Entropy (8bit):	5.207912016937144
Encrypted:	false
SSDEEP:	24:5+j5xU5k5N0ndgvoyeP0yyiyQCDr3nowMVworDtX3orKxWxDnCMA0da+hieyuSQK:5Q5K5k5pvFehWrrarrZIrHd3FIQfOS6
MD5:	F4FE1CB77E758E1BA56B8A8EC20417C5
SHA1:	F4EDA06901EDB98633A686B11D02F4925F827BF0
SHA-256:	8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
SHA-512:	62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102A416C09733F24E8468984B96843DC222B436
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.body..{...font-family: "Segoe UI", "verdana", "arial";...background-image: url(background_gradient.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;...color: #575757;..}....body.securityError..{...font-family: "Segoe UI", "verdana" , "Arial";...background-image: url(background_gradient_red.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;..}....body.tabInfo..{...background-image: none;...background-color: #F4F4F4;..}.. ..a..{...color: rgb(19,112,171);.font-size: 1em;...font-weight: normal;...text-decoration: none;...margin-left: 0px;...vertical-align: top;..}....a:link, a:visited..{...color: rgb(19,112,171);...text-decoration: none;...vertical-align: top;..}....a:hover..{...color: rgb(7,74,229);...text-decoration: underline;..}....p..{...font-size: 0.9em;..}.....h1 /* used for Title */..{...color: #4465A2;...font-size: 1.1em;...font-weight: normal;...vertical-align

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\bullet[1]

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
File Type:	PNG image data, 15 x 15, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	447
Entropy (8bit):	7.304718288205936
Encrypted:	false
SSDEEP:	12:6v/71Cyt/JNTWxGdr+kZDWO7+4dKIv0b1GKuxu+R:/yBJNTqsSk9BTwE05su+R
MD5:	26F971D87CA00E23BD2D064524AEF838
SHA1:	7440BEFF2F4F8FABC9315608A13BF26CABAD27D9
SHA-256:	1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
SHA-512:	C62EB51BE301BB96C80539D66A73CD17CA2021D5D816233853A37DB72E04050271E581CC99652F3D8469B390003CA6C62DAD2A9D57164C620B7777AE99AA1B15
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...............ex....PLTE...(EkFRp&@e&@e)Af)AgANjBNjDNjDNj2Vv-Xz-Y{3XyC\}E_.2j.3l.8p.7q.;j.;l.Zj.\l.5o.7q.<..aw.<..dz.E...........1..@.7..~.....9..:.....A..B..E..9..:..a..c..b..g.#M.%O.#r.#s.%y.2..4..+..-..?..@..;..p..s...G..H..M.........z`....#tRNS................................../,....mIDATx^..C..`.......S....y'...05...\|..k.X......*`.F.K....JQ..u.<.}.. ..[U..m....'r%.......yn.`.7F..).5..b..rX.T.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\background_gradient[1]

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, components 3
Category:	dropped
Size (bytes):	453
Entropy (8bit):	5.019973044227213
Encrypted:	false
SSDEEP:	6:3llVuiPjlXJYhg5suRd8PImMo23C/kHrJ8yA/NIeYoWg78C/vTFvbKLAh3:V/XPYhiPRd8j7+9LoIrobtHTdbKi
MD5:	20F0110ED5E4E0D5384A496E4880139B
SHA1:	51F5FC61D8BF19100DF0F8AADAA57FCD9C086255
SHA-256:	1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
SHA-512:	5F52C117E346111D99D3B642926139178A80B9EC03147C00E27F07AAB47FE38E9319FE983444F3E0E36DEF1E86DD7C56C25E44B14EFDC3F13B45EDEDA064DB5A
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......P......Adobe.d................................................................................................................................................. ...............W..............................................................Qa.................................?......%.....x......s...Z.......j.T.wz.6...X.@... V.3tM...P@.u.%...m..D.25...T...F.........p......A..........BP..qD.(.........ntH.@......h?..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\httpErrorPagesScripts[1]

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	12105
Entropy (8bit):	5.451485481468043
Encrypted:	false
SSDEEP:	192:x20iniOciwd1BtvjrG8tAGGGVWnvyJVUrUiki3ayimi5ezLCvJG1gwm3z:xPini/i+1Btvjy815ZVUwiki3ayimi5f
MD5:	9234071287E637F85D721463C488704C
SHA1:	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
SHA-256:	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
SHA-512:	87D691987E7A2F69AD8605F35F94241AB7E68AD4F55AD384F1F0D40DC59FFD1432C758123661EE39443D624C881B01DCD228A67AFB8700FE5E66FC794A6C0384
Malicious:	false
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function getDisplayValue(elem

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\http_404_webOC[1]

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with very long lines (312), with CRLF line terminators
Category:	dropped
Size (bytes):	6388
Entropy (8bit):	3.8847382101645676
Encrypted:	false
SSDEEP:	48:up4d0yV4VkBXvLotC5N9J/1a5TI7kZ3GUXn3GFa7K083GJehBu01kptk7KwRpdtV:uKpMyN9JaKktZX36a7x05hwW77V
MD5:	20BF4AE51A0FA8932C6494892235994C
SHA1:	9FD92B9A36B5C635178AECB420239F012D7C6EDB
SHA-256:	A14C660AA3231464138E7CBBDA93D3009A3492045F210041446AB9E9CC6ED1F7
SHA-512:	9222A6AFBB07602F9D26AF5F0A5894AEFFD21627106C38EFC82484B10A4B09FF299273C9107337AA0D6578DE066F43C0162634D1F48741B00C968843D7C36EEB
Malicious:	false
Preview:	.<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">....<html dir="ltr">.... <head>.. <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css">.... <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.... <title>HTTP 404 Not Found</title>.... <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:initHomepage(); expandCollapse('infoBlockID', true); initGoBack(); initMoreInfo('infoBlockID');">.... <table width="730" cellpadding="0" cellspacing="0" border="0">.... Error title -->.. <tr>.. <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">.. <img src="info_48.png" id="infoIcon" alt="Information ico

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\info_48[1]

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
File Type:	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4113
Entropy (8bit):	7.9370830126943375
Encrypted:	false
SSDEEP:	96:WNTJL8szf79M8FUjE39KJoUUuJPnvmKacs6Uq7qDMj1XPL:WNrzFoQSJPnvzs6rL
MD5:	5565250FCC163AA3A79F0B746416CE69
SHA1:	B97CC66471FCDEE07D0EE36C7FB03F342C231F8F
SHA-256:	51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
SHA-512:	E60EA153B0FECE4D311769391D3B763B14B9A140105A36A13DAD23C2906735EAAB9092236DEB8C68EF078E8864D6E288BEF7EF1731C1E9F1AD9B0170B95AC134
Malicious:	false
Preview:	.PNG........IHDR.../...0.......#.....IDATx^...pUU..{....KB........!....F......jp.Q.......Vg.F..m.Q....{...,m.@.56D...&$d!.<..}....s..K9.....{............[./<..T..I.I..JR)).9.k.N.%.E.W^}....Po..............X..;.=.P......./...+...9./..s.....9..\|........7v.`..V.....-^.$S[[[......K..z......3..3....5 ...0.."/n/.c...&.{.ht..?....A..I{.n.....\|....t......N}..%.v...:.E..i....`....a.k.mg.LX..fcFU.fO-..YEfd.}...~."......}l$....^.re..'^X..}.?.^U.G..... .30...X......f[.l0.P`..KC...[..[..6....~..i..Q.\|;x..T ..........s.5...n+.0..;...H#.2..#.M..m[^3x&E.Ya..\K..{[..M..g...yf0..~....M.]7..ZZZ:..a.O.G64]....9..l[..a....N,,.h......5...f.y...}...BX{.G^...?.c.......s^..P.(..G...t.0.:.X.DCs.....]vf...py).........x..>-..Be.a...G...Y!...z...g.{....d.s.o.....%.x......R.W.....Z.b,....!..6Ub....U.qY(/v..m.a...4.`Qr\.E.G..a)..t..e.j.W........C<.1.....c..l1w....]3%....tR;.,..3..-.NW.5...t..H..h..D..b......M....)B..2J...)..o..m..M.t....wn./....+Wv....xkg....

C:\Users\user\AppData\Local\Temp\resources.xml

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	99939
Entropy (8bit):	5.305343777150314
Encrypted:	false
SSDEEP:	768:e2OShsj3PcZsQPf7xPWxyk1j8A7FXNplMVWbEFd1VUjwQWNApLiTvpZWw2:bUUfdIjlFXnXEJVrQWkLsZE
MD5:	ABF312AFD82EBD6E870693F67C74EECA
SHA1:	F39B6E6645230AE1C2ACD5800B5C57925C154C28
SHA-256:	69FBE204EC836FCE074C5FB2D5A6FE6F3C5BC2832FDD42535170BFDD8B2A71E5
SHA-512:	3ADCF6A1B56407F87E83E85F35797B1A187AC49CA098D6C58C95A58C92D544A5CEDA31505460C575A47980B01434617CB167CB131B82745C2B4CCD1E0916CCA4
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-16"?>..<RemoteSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">.. <Settings>.. <Maintenance>false</Maintenance>.. <CabalHash>8780b686df399f6ebd518bdc39c99027</CabalHash>.. <UpdateHash>250d2a344e15b3c55fd1d59afcf0b1da</UpdateHash>.. <UpdateVersion>1.0.0</UpdateVersion>.. <UpdateRevision>0</UpdateRevision>.. <CabalMainHash>d590fc31a5cb46ae326896f195990338</CabalMainHash>.. <CabalMainBuild>374</CabalMainBuild>.. <CabalMainConstructor>EAAAAIC2EUdLAU8mrRWGhVy9kqxKNP+AXBwbsQZBYrz4ma1t</CabalMainConstructor>.. </Settings>.. <Hashes count="977">.. <Hash file="!kill-process.bat">49b7eafd4cfbca298fc27bf8bb7d0b49</Hash>.. <Hash file="123.dll">415caf982c5b1920b9e11c59a36754a7</Hash>.. <Hash file="1StartCabalMayhem.bat">0e5d55e59fdd1c62aa223f60cb2a4bd7</Hash>.. <Hash file="1zDisplay1.dll">a2958096fe92a8e86f10546f2ffaee39</Hash>.. <Hash file="6thSe7eN.dll">4f5a60b783

C:\Users\user\Desktop\cabal.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	102912
Entropy (8bit):	6.409962720078823
Encrypted:	false
SSDEEP:	1536:LTqhFGaKXbiHzZHJqtBy3db4qThUtjGtv4n4PZHJqtBy3dbWZHVNtB83dbD:LTqhofXbiTtktGFdcGNtktG4tXtY9
MD5:	8780B686DF399F6EBD518BDC39C99027
SHA1:	9B14EB76F87BB42845BDAE321CE2C2A593686AF4
SHA-256:	75207C4BAAEE7583C427DF119C253E6A95C6A42B98E1902502A839F9879B42FE
SHA-512:	92A363BE3F33EE2B805CB6133F2E35C3A13CD0E9C321EBA8E9D39802E52DF3A693C30E96F8E19496D57BC0124EEA50F2548E90B64408A907D176F00473099238
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....4.g..............0..<...T......^Z... ...`....@.. ....................................`..................................Z..O....`...Q...........................X............................................... ............... ..H............text...d:... ...<.................. ..`.rsrc....Q...`...R...>..............@..@.reloc..............................@..B................@Z......H.......x<...K..........$................................................0..E.......(....(....(...........s....o....(....&~....(......o...........s\|...z......... ..>.......F.o ...t....s\|...z.0..\........(!...,N...s"....s#....o$.....o%...s&......+.....X...r...p('...o(...&..X....i2..o....r...pJ.r...p.s)...(...Js....%o....o+...&..(,....r)..p.....*...0...........s!...}.....s-...}.....(....r=..p(/...}.....(0....(.....{.....{....o1....s2...}.....{...........s3...o4....{....

C:\Users\user\Desktop\main.dat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.074432538756844
Encrypted:	false
SSDEEP:	3:oll9llulnlvlklsl1lslslslslslslslslslslslslslulfltltlsltl5ll:olWycWWWWWWWWWWWWWUt1tW1
MD5:	5C76D529171BD1E07E258D342AC7E59C
SHA1:	9781C06569223E24614137E8914EA2CC85BD0FC6
SHA-256:	917D0908B4371943C4168344A36BD3F862685BC29450A18EA93ACFB111DC9DEC
SHA-512:	1461696E3A8D49A01412E43801EF4951B166347D847994180AA6C62BA6F5D7FF54E5F0E4DFB3B8D48B94388D3B5E0C68C928A6A53920CF41EA44279DC25F20B3
Malicious:	false
Preview:	........<..........?........2...2..........................................................................................................................................

C:\Users\user\Desktop\mainEX.dat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
File Type:	data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	0.9845596771560091
Encrypted:	false
SSDEEP:	6:TwHzdt1t191qNWWWWWWWWWWWStg1WW1tWpslXd1:UBH3qUoEXX
MD5:	242B66F61D075F06316774148ED7B361
SHA1:	EE9F46A214CF07BE556F91AE755ED3F0D69E0878
SHA-256:	E5F6ED0C70D8E2E172F0DECD93CEEC55341DC6D0DC910308129F364645F64180
SHA-512:	6E768F12ED74F033FAC710172F97BA147ECE7452B5B14F279B7A434C63C31BE79F5F2BB10815C7F47DD74B8B462E9B70B50B9F58CB45063AEC54D66ADC0D2649
Malicious:	false
Preview:	.................8...2...........................................................................................................................................................................................................................................................<...<.......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.241015072790345
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
File size:	7'486'464 bytes
MD5:	250d2a344e15b3c55fd1d59afcf0b1da
SHA1:	1be4fbfb1b39e225fb1b82e73aaa609c734cb8a5
SHA256:	2852cbcdd8ae60e9761f3cd78aaeb84a7c038e1b692800af33003d04d0b7594b
SHA512:	4f8c05b75e7d4bab5245b1e8439d454631db77d7704ba7cd020bf0352adc6e6a047dc78ccf4384cd8fae1f38cbcd01267216620feb3d5def3742a0677a145cc5
SSDEEP:	98304:Rkjh88mbmIklyX+9YIk1QnRTsL7Hatbej3aWjGFkwzVccY0l/XJ:c88mbmIklyu9YIk1Ig7H6bej3a0YCfw
TLSH:	DE7605897991A940D81DB57CD1FCD190CBF32EC11E31812E9FEAAA524E42DDC8DE19CB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....4.g..............0...q..T......j.r.. ... r...@.. ........................r...........`................................

File Icon


Icon Hash:	4f072b0d2d33050f

Static PE Info

General

Entrypoint:	0xb2046a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67163414 [Mon Oct 21 10:59:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x720418	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x722000	0x5180	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x728000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7202e0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x71e470	0x71e600	285bb383facebc709626e7873c3fb024	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x722000	0x5180	0x5200	cb2092be5e46fc9d44afb81c69d05b29	False	0.5735518292682927	data	6.082027218722338	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x728000	0xc	0x200	25da93795adfdf2c0f0668ff32ae9481	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x722180	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.8429602888086642
RT_ICON	0x722a38	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.6755780346820809
RT_ICON	0x722fb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.553941908713693
RT_ICON	0x725568	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.6463414634146342
RT_ICON	0x726620	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.4104609929078014
RT_GROUP_ICON	0x726a98	0x4c	data	0.7631578947368421
RT_VERSION	0x726af4	0x370	data	0.4238636363636364
RT_MANIFEST	0x726e74	0x306	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.44315245478036175

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T11:27:01.380316+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49706	217.15.164.94	80	TCP
2024-11-01T11:27:15.087884+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.5	49711	TCP
2024-11-01T11:27:54.091482+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.5	49918	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 11:26:59.191598892 CET	49704	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:26:59.196770906 CET	80	49704	217.15.164.94	192.168.2.5
Nov 1, 2024 11:26:59.196842909 CET	49704	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:26:59.335513115 CET	49704	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:26:59.340532064 CET	80	49704	217.15.164.94	192.168.2.5
Nov 1, 2024 11:26:59.490761042 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:26:59.495663881 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:26:59.495719910 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:26:59.496371984 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:26:59.501188993 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.272774935 CET	80	49704	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.272834063 CET	49704	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.572112083 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.572137117 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.572149992 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.572160959 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.572173119 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.572175980 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.572184086 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.572195053 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.572206974 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.572212934 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.572248936 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.572283030 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.572295904 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.572344065 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.577455997 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.577500105 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.577512980 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.577538967 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.617450953 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.786499023 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.786513090 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.786525011 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.786562920 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.786640882 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.786653996 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.786679029 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.787527084 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.787579060 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.787686110 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.787692070 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.787729979 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.788268089 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.788280010 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.788319111 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.789916039 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.789927959 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.789938927 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.789962053 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.790540934 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.790551901 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.790563107 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.790575027 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.790587902 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.790587902 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.790600061 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.790612936 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.790621042 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.790661097 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.790832043 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.790843964 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.790855885 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.790875912 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.791656017 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.791702032 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.986630917 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.986644983 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.986704111 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.986735106 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.986747980 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.986761093 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.986779928 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.986780882 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.986800909 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.986813068 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.986826897 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.986840963 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.986861944 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.987422943 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.987447023 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.987471104 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.987503052 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.987515926 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.987529039 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.987549067 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.987550020 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.987559080 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.988122940 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.988135099 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.988147020 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.988173962 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.988174915 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.988189936 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.988198042 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.988204002 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.988226891 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.988827944 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.988840103 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.988852978 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.988873959 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.988897085 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.988960981 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.988996029 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.989007950 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.989021063 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.989027023 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.989063978 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.989701033 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.989800930 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.989813089 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.989825964 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.989845037 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.989847898 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.989859104 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.989869118 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.989872932 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.989902020 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.990614891 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.990662098 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.990663052 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.990677118 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.990720987 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.990752935 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.990766048 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.990777969 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.990789890 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.990804911 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.990828037 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.991456985 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.991621017 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.991631985 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.991647005 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.991660118 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.991667986 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.991702080 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.992079973 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:00.992121935 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:00.992125988 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.039278984 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.046704054 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.051575899 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380247116 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380254030 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380273104 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380285025 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380290985 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380310059 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380316019 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.380317926 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380342960 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380350113 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380356073 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380364895 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.380373001 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.380422115 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.380496979 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380503893 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380516052 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380541086 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380548000 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380580902 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.380598068 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.380669117 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380685091 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380690098 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380707979 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.380743027 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.380770922 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380779028 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380785942 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380791903 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380820036 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.380825996 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380856037 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.380954981 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380975962 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380981922 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.380992889 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.381067038 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.381067038 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381074905 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381086111 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381108999 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.381258965 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381267071 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381279945 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381320953 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.381340027 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.381360054 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381366968 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381373882 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381380081 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381396055 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.381412983 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381419897 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381426096 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381437063 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.381453991 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.381688118 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381694078 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381706953 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381717920 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381722927 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381737947 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.381776094 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.381848097 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381855965 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381895065 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.381927013 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381938934 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381946087 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381951094 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381963968 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381968975 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.381975889 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.381997108 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.382019997 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.497524977 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.497590065 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.497596025 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.497608900 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.497613907 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.497622013 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.497627974 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.497688055 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.497711897 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.497711897 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.497745991 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.497747898 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.497752905 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.497766018 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.497792006 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.497911930 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.497919083 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.497930050 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.497953892 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.497987986 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.497996092 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498048067 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498054981 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498066902 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498073101 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.498073101 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498090029 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.498115063 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.498210907 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498218060 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498229027 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498236895 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498245955 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498248100 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498260021 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.498286009 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498306990 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.498348951 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498354912 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498361111 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498373032 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498399019 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.498441935 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498449087 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498483896 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.498492956 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498498917 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498511076 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498539925 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.498732090 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498739004 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498754025 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.498786926 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:01.498982906 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:01.499027014 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:05.502433062 CET	80	49704	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:05.502518892 CET	49704	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:27:06.600857973 CET	80	49706	217.15.164.94	192.168.2.5
Nov 1, 2024 11:27:06.601527929 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:28:41.527865887 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:28:41.836330891 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:28:42.445709944 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:28:43.648838043 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:28:46.055097103 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:28:48.446258068 CET	49704	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:28:48.758234978 CET	49704	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:28:49.367804050 CET	49704	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:28:50.570736885 CET	49704	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:28:50.867597103 CET	49706	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:28:52.977112055 CET	49704	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:28:57.789498091 CET	49704	80	192.168.2.5	217.15.164.94
Nov 1, 2024 11:29:00.477010965 CET	49706	80	192.168.2.5	217.15.164.94

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 11:26:57.073642969 CET	62170	53	192.168.2.5	1.1.1.1
Nov 1, 2024 11:26:57.257531881 CET	53	62170	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 11:26:57.073642969 CET	192.168.2.5	1.1.1.1	0xa72b	Standard query (0)	s4.gtsystems.hu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 11:26:57.257531881 CET	1.1.1.1	192.168.2.5	0xa72b	No error (0)	s4.gtsystems.hu	shadowman.dnse.hu		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:26:57.257531881 CET	1.1.1.1	192.168.2.5	0xa72b	No error (0)	shadowman.dnse.hu		185.6.188.137	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

217.15.164.94

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	217.15.164.94	80	2380	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 11:26:59.335513115 CET	355	OUT	GET /update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024%2006:26:57 HTTP/1.1 Accept: / Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 217.15.164.94 Connection: Keep-Alive
Nov 1, 2024 11:27:00.272774935 CET	492	IN	HTTP/1.1 404 Not Found Date: Fri, 01 Nov 2024 10:27:00 GMT Server: Apache/2.4.62 (Debian) Content-Length: 275 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 32 31 37 2e 31 35 2e 31 36 34 2e 39 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at 217.15.164.94 Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	217.15.164.94	80	2380	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 11:26:59.496371984 CET	84	OUT	GET /update//resources.xml HTTP/1.1 Host: 217.15.164.94 Connection: Keep-Alive
Nov 1, 2024 11:27:00.572112083 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 10:27:00 GMT Server: Apache/2.4.62 (Debian) Last-Modified: Wed, 30 Oct 2024 04:28:36 GMT ETag: "18663-625aa22a26500" Accept-Ranges: bytes Content-Length: 99939 Vary: Accept-Encoding Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/xml Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 31 36 22 3f 3e 0d 0a 3c 52 65 6d 6f 74 65 53 65 74 74 69 6e 67 73 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 3e 0d 0a 20 20 3c 53 65 74 74 69 6e 67 73 3e 0d 0a 20 20 20 20 3c 4d 61 69 6e 74 65 6e 61 6e 63 65 3e 66 61 6c 73 65 3c 2f 4d 61 69 6e 74 65 6e 61 6e 63 65 3e 0d 0a 20 20 20 20 3c 43 61 62 61 6c 48 61 73 68 3e 38 37 38 30 62 36 38 36 64 66 33 39 39 66 36 65 62 64 35 31 38 62 64 63 33 39 63 39 39 30 32 37 3c 2f 43 61 62 61 6c 48 61 73 68 3e 0d 0a 20 20 20 20 3c 55 70 64 61 74 65 48 61 73 68 3e 32 35 30 64 32 61 33 34 34 65 31 35 62 33 63 35 35 66 64 31 64 35 39 61 66 63 66 30 62 31 64 61 3c 2f 55 70 64 61 74 65 48 61 73 68 3e 0d 0a 20 20 20 20 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="utf-16"?><RemoteSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Settings> <Maintenance>false</Maintenance> <CabalHash>8780b686df399f6ebd518bdc39c99027</CabalHash> <UpdateHash>250d2a344e15b3c55fd1d59afcf0b1da</UpdateHash> <UpdateVersion>1.0.0</UpdateVersion> <UpdateRevision>0</UpdateRevision> <CabalMainHash>d590fc31a5cb46ae326896f195990338</CabalMainHash> <CabalMainBuild>374</CabalMainBuild> <CabalMainConstructor>EAAAAIC2EUdLAU8mrRWGhVy9kqxKNP+AXBwbsQZBYrz4ma1t</CabalMainConstructor> </Settings> <Hashes count="977"> <Hash file="!kill-process.bat">49b7eafd4cfbca298fc27bf8bb7d0b49</Hash> <Hash file="123.dll">415caf982c5b1920b9e11c59a36754a7</Hash> <Hash file="1StartCabalMayhem.bat">0e5d55e59fdd1c62aa223f60cb2a4bd7</Hash> <Hash file="1zDisplay1.dll"
Nov 1, 2024 11:27:00.572137117 CET	1236	IN	Data Raw: 3e 61 32 39 35 38 30 39 36 66 65 39 32 61 38 65 38 36 66 31 30 35 34 36 66 32 66 66 61 65 65 33 39 3c 2f 48 61 73 68 3e 0d 0a 20 20 20 20 3c 48 61 73 68 20 66 69 6c 65 3d 22 36 74 68 53 65 37 65 4e 2e 64 6c 6c 22 3e 34 66 35 61 36 30 62 37 38 33 Data Ascii: >a2958096fe92a8e86f10546f2ffaee39</Hash> <Hash file="6thSe7eN.dll">4f5a60b783a745fb7b96cb0d4d824007</Hash> <Hash file="aqrit.cfg">fa4deb945a794d8bc11fd30de0f7189a</Hash> <Hash file="atl72.dll">6767c59f01cca2e0d150d0d810d383da</H
Nov 1, 2024 11:27:00.572149992 CET	424	IN	Data Raw: 79 2e 64 6c 6c 22 3e 36 61 35 38 36 33 61 38 38 37 36 61 65 30 64 33 36 38 30 32 30 32 38 62 63 36 63 36 36 66 38 64 3c 2f 48 61 73 68 3e 0d 0a 20 20 20 20 3c 48 61 73 68 20 66 69 6c 65 3d 22 7a 44 69 73 70 6c 61 79 31 2e 64 6c 6c 22 3e 61 32 39 Data Ascii: y.dll">6a5863a8876ae0d36802028bc6c66f8d</Hash> <Hash file="zDisplay1.dll">a2958096fe92a8e86f10546f2ffaee39</Hash> <Hash file="Data\ability.enc">d02f4ac1929b6594a7363a1d77d3a91d</Hash> <Hash file="Data\achievement.enc">81d247e1ac
Nov 1, 2024 11:27:00.572160959 CET	1236	IN	Data Raw: 20 20 20 20 3c 48 61 73 68 20 66 69 6c 65 3d 22 44 61 74 61 5c 63 61 7a 2e 65 6e 63 22 3e 32 66 62 63 62 31 31 62 61 31 61 63 64 37 30 65 33 61 66 34 36 33 35 33 36 39 66 30 30 34 64 37 3c 2f 48 61 73 68 3e 0d 0a 20 20 20 20 3c 48 61 73 68 20 66 Data Ascii: <Hash file="Data\caz.enc">2fbcb11ba1acd70e3af4635369f004d7</Hash> <Hash file="Data\change_shape.enc">3b4b1099c1f1cc4d112b9daf0c73da9d</Hash> <Hash file="Data\cont.enc">cde7cd448f9850a882576bc84a023933</Hash> <Hash file="Data
Nov 1, 2024 11:27:00.572173119 CET	1236	IN	Data Raw: 37 36 64 61 3c 2f 48 61 73 68 3e 0d 0a 20 20 20 20 3c 48 61 73 68 20 66 69 6c 65 3d 22 44 61 74 61 5c 6d 73 67 2e 65 6e 63 22 3e 39 38 65 64 30 38 39 64 66 32 66 35 63 65 62 61 34 31 30 65 39 36 64 32 32 66 34 34 39 66 32 61 3c 2f 48 61 73 68 3e Data Ascii: 76da</Hash> <Hash file="Data\msg.enc">98ed089df2f5ceba410e96d22f449f2a</Hash> <Hash file="Data\quest.enc">1a016860204609a731fb74bef4dea628</Hash> <Hash file="Data\script.enc">7d1448b49ed25277a5d3883c97209504</Hash> <Hash fi
Nov 1, 2024 11:27:00.572184086 CET	1236	IN	Data Raw: 0a 20 20 20 20 3c 48 61 73 68 20 66 69 6c 65 3d 22 44 61 74 61 5c 6c 61 6e 67 75 61 67 65 5c 45 6e 67 6c 69 73 68 5c 68 65 6c 70 2e 65 6e 63 22 3e 61 65 37 30 63 63 35 39 65 61 31 35 36 62 61 31 31 38 30 34 35 32 66 32 65 64 62 61 65 33 63 64 3c Data Ascii: <Hash file="Data\language\English\help.enc">ae70cc59ea156ba1180452f2edbae3cd</Hash> <Hash file="Data\language\English\keymap_msg.enc">b7cb9c53ed90f1da4477b08fd15025a5</Hash> <Hash file="Data\language\English\klog.enc">3d797cd702
Nov 1, 2024 11:27:00.572195053 CET	1236	IN	Data Raw: 66 39 31 36 30 62 63 39 35 34 64 66 62 62 64 32 31 33 30 35 34 63 31 3c 2f 48 61 73 68 3e 0d 0a 20 20 20 20 3c 48 61 73 68 20 66 69 6c 65 3d 22 44 61 74 61 5c 6c 61 6e 67 75 61 67 65 5c 45 6e 67 6c 69 73 68 5c 66 6f 6e 74 5c 30 31 72 2e 65 62 73 Data Ascii: f9160bc954dfbbd213054c1</Hash> <Hash file="Data\language\English\font\01r.ebs">7cb0bc2cc5d13565ec02bc82bd96d031</Hash> <Hash file="Data\language\English\font\02.ebs">d5f72f6dd116df544b9c9e25c5f69e04</Hash> <Hash file="Data\langu
Nov 1, 2024 11:27:00.572206974 CET	848	IN	Data Raw: 20 20 20 3c 48 61 73 68 20 66 69 6c 65 3d 22 44 61 74 61 5c 6c 61 6e 67 75 61 67 65 5c 45 6e 67 6c 69 73 68 5c 66 6f 6e 74 5c 30 38 2e 65 62 73 22 3e 39 62 32 30 32 64 39 39 65 66 66 62 30 62 36 64 39 66 30 61 30 35 63 33 66 30 63 37 34 31 39 32 Data Ascii: <Hash file="Data\language\English\font\08.ebs">9b202d99effb0b6d9f0a05c3f0c74192</Hash> <Hash file="Data\language\English\font\08r.ebs">1ea3d34457da16dfbe129c215a66c300</Hash> <Hash file="Data\language\English\font\09.ebs">798f131c
Nov 1, 2024 11:27:00.572283030 CET	1236	IN	Data Raw: 61 74 61 5c 6c 61 6e 67 75 61 67 65 5c 45 6e 67 6c 69 73 68 5c 66 6f 6e 74 5c 31 32 72 2e 65 62 73 22 3e 66 62 33 64 38 31 61 63 61 64 32 38 65 66 37 62 66 63 35 64 62 66 61 35 33 31 34 32 30 65 36 31 3c 2f 48 61 73 68 3e 0d 0a 20 20 20 20 3c 48 Data Ascii: ata\language\English\font\12r.ebs">fb3d81acad28ef7bfc5dbfa531420e61</Hash> <Hash file="Data\language\English\font\13.ebs">3066f061bcd38e8908d261c3cea05a8c</Hash> <Hash file="Data\language\English\font\13r.ebs">997063f43a8432bdb176763
Nov 1, 2024 11:27:00.572295904 CET	1236	IN	Data Raw: 22 3e 32 32 62 64 30 66 65 36 38 34 31 31 32 31 37 61 62 30 34 66 31 31 62 64 65 62 37 64 39 33 36 38 3c 2f 48 61 73 68 3e 0d 0a 20 20 20 20 3c 48 61 73 68 20 66 69 6c 65 3d 22 44 61 74 61 5c 6c 61 6e 67 75 61 67 65 5c 45 6e 67 6c 69 73 68 5c 66 Data Ascii: ">22bd0fe68411217ab04f11bdeb7d9368</Hash> <Hash file="Data\language\English\font\a00r.ebs">fd59ea6d4e84864d3f1d869aa0ef167b</Hash> <Hash file="Data\language\English\font\a01.ebs">c77b2aa1846c647aaaf45f39a8d371bb</Hash> <Hash fil
Nov 1, 2024 11:27:00.577455997 CET	1236	IN	Data Raw: 64 30 39 36 30 35 62 36 32 31 37 33 36 39 3c 2f 48 61 73 68 3e 0d 0a 20 20 20 20 3c 48 61 73 68 20 66 69 6c 65 3d 22 44 61 74 61 5c 6c 61 6e 67 75 61 67 65 5c 45 6e 67 6c 69 73 68 5c 66 6f 6e 74 5c 61 30 37 2e 65 62 73 22 3e 35 30 38 62 36 33 63 Data Ascii: d09605b6217369</Hash> <Hash file="Data\language\English\font\a07.ebs">508b63c980bfbcf44ffd3dfab4ef9e9a</Hash> <Hash file="Data\language\English\font\a07r.ebs">8250cfd8f5c2fff051dbf9ca61fa964b</Hash> <Hash file="Data\language\Eng
Nov 1, 2024 11:27:01.046704054 CET	62	OUT	GET /update/client/cabal.exe HTTP/1.1 Host: 217.15.164.94
Nov 1, 2024 11:27:01.380247116 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 10:27:01 GMT Server: Apache/2.4.62 (Debian) Last-Modified: Mon, 21 Oct 2024 10:59:32 GMT ETag: "19200-624fa8c262d00" Accept-Ranges: bytes Content-Length: 102912 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 14 34 16 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 3c 01 00 00 54 00 00 00 00 00 00 5e 5a 01 00 00 20 00 00 00 60 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 0c 5a 01 00 4f 00 00 00 00 60 01 00 d4 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 01 00 0c 00 00 00 d4 58 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL4g0<T^Z `@ `ZO`QX H.textd: < `.rsrcQ`R>@@.reloc@B@ZHx<K$0E(((so(&~(os\|z* >Fo ts\|z0\(!,Ns"s#o$o%s&+Xrp('o(&Xi2orpJrps)(Js%oo+&(,.r)p0s!}s-}(.r=p(/}(0({{o1s2}{

Target ID:	0
Start time:	06:26:55
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe"
Imagebase:	0x910000
File size:	7'486'464 bytes
MD5 hash:	250D2A344E15B3C55FD1D59AFCF0B1DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	14.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	5
Total number of Limit Nodes:	0

Executed Functions

Function 0329D390 Relevance: 1.7, Instructions: 1677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3292457653.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04348fea4472c1164eeab5462fee0a5fb671c14743d0fc7e9fca2f6d4ad65f80
Instruction ID: a1e5d8fe3db45dfa89b17576815cfa05ba248d2addbb9b7931471e5fbbf7f660
Opcode Fuzzy Hash: 04348fea4472c1164eeab5462fee0a5fb671c14743d0fc7e9fca2f6d4ad65f80
Instruction Fuzzy Hash: 13E25A74720602CFDB24DF38C894A6AB7F6BF49304B1549A9E446CB3A1DB35EC85CB60

Function 032906B4 Relevance: 1.5, APIs: 1, Instructions: 44
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsFlushResolverCache.DNSAPI ref: 03290F24

Memory Dump Source

Source File: 00000000.00000002.3292457653.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_SecuriteInfo.jbxd

Similarity

API ID: CacheFlushResolver
String ID:
API String ID: 3435657375-0
Opcode ID: 11f8b65c9cba0e4dde4598ca57e18d709bbecff233d1c91cc48ccf7157d76656
Instruction ID: bcbd665cf1ad52c02759fc610735852136085db9934e488bc4f03f5c4b6010d1
Opcode Fuzzy Hash: 11f8b65c9cba0e4dde4598ca57e18d709bbecff233d1c91cc48ccf7157d76656
Instruction Fuzzy Hash: D91130B18007098FDB20DF9AC544B9EBBF4EB09324F20841AD919A3240C379A980CFE0

Function 03290EC0 Relevance: 1.5, APIs: 1, Instructions: 42
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsFlushResolverCache.DNSAPI ref: 03290F24

Memory Dump Source

Source File: 00000000.00000002.3292457653.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_SecuriteInfo.jbxd

Similarity

API ID: CacheFlushResolver
String ID:
API String ID: 3435657375-0
Opcode ID: 9c93958bb7d5751d319b6c700fe867e8b339893ae1b2b9e4887464c1faa0488a
Instruction ID: c4d649126104b1058832127893df893788bbf445413b543439222ca4504b191c
Opcode Fuzzy Hash: 9c93958bb7d5751d319b6c700fe867e8b339893ae1b2b9e4887464c1faa0488a
Instruction Fuzzy Hash: 021142B48002498FCB10DF99D484BEEBFF4EB49310F20840AD528A3350C738A980CFA0

Function 0191E11C Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3292145795.000000000191D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1e0b646b1883b13b8dabee6dff97b2a1ae91b779c26330a542d812cc898c3e
Instruction ID: 73c3f7610130358668a3a2961e8e864e6ab83071e94b019d5b615b4fd3d80726
Opcode Fuzzy Hash: ed1e0b646b1883b13b8dabee6dff97b2a1ae91b779c26330a542d812cc898c3e
Instruction Fuzzy Hash: 45318F72500204EFDF179F54D9C0F567F7AFB88310F248999EE090A26AC33AD4A5DBA1

Function 0191E010 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3292145795.000000000191D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13930df76357c7111a975ffb3f9201c85938f784f3ab2d83b4e5db3321cfe997
Instruction ID: 0289734304981d62922c87e542290c03abaa87e180e5b7feff545883eaf7922c
Opcode Fuzzy Hash: 13930df76357c7111a975ffb3f9201c85938f784f3ab2d83b4e5db3321cfe997
Instruction Fuzzy Hash: C831B172504204EFDF179F54C9C0F12BF6AFB48314F2485A8EE094A26AC336D895DB61

Function 0191EAE4 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3292145795.000000000191D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6205d988aa234c7f138dfa34393233114fecd92fe9c1974b2930df72d1ad062b
Instruction ID: 55f5018c0ea039ee01e5d3083b267033d06434567ececb8c1a3fbacfd95087cd
Opcode Fuzzy Hash: 6205d988aa234c7f138dfa34393233114fecd92fe9c1974b2930df72d1ad062b
Instruction Fuzzy Hash: A031D572540208EFDF179F54D9C0F16BF6AFB88320F2485A9ED0A0A25AC336D495DB61

Function 0191E9E8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3292145795.000000000191D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6aa2e99ccf96f7c888590f5c72d64176922cdbd1b0cedb4014bb7ab84fc3a8c
Instruction ID: 210192ab8b39266972c75f3f9646ad0980bec32b290b9f74e322c2f9dbf1e0aa
Opcode Fuzzy Hash: d6aa2e99ccf96f7c888590f5c72d64176922cdbd1b0cedb4014bb7ab84fc3a8c
Instruction Fuzzy Hash: 9521A276500204DFDF06CF54D980F26BF69FB88314F2485A9ED0D0A25AC336D496CBA1

Function 0190D06C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3292080722.000000000190D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0190D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d2c4d6d9522f323d0e51480349f15015e468c51a733b85220bd1d8e04d6030
Instruction ID: 9c99d6562938905929629975ddb4c174264fa4b0e5985a0493d3f56d7272f81d
Opcode Fuzzy Hash: d6d2c4d6d9522f323d0e51480349f15015e468c51a733b85220bd1d8e04d6030
Instruction Fuzzy Hash: 9121F472504244DFDB1ADFD4D9C0F26BFAAFB88314F248569E90D0A296C73AD416CBA1

Function 0191D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3292145795.000000000191D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d80a1750c5e5492e2d9b5494fa841e4a45ef931978c420fd317e5d379e5fb7
Instruction ID: ed3312df9681ae92d5fafad3b43ed3e318c83b56d9b3a3c53daa6a43db517870
Opcode Fuzzy Hash: 02d80a1750c5e5492e2d9b5494fa841e4a45ef931978c420fd317e5d379e5fb7
Instruction Fuzzy Hash: D9212575604208DFDB15DF68D988F26BFA9FB84314F20C96DD90D0B25AC33AD487CA61

Function 0191E11B Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3292145795.000000000191D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e0173c5fcb6d7a1eea0f35aafdcceaf2981d496a2d9e9655c0adac54130d36
Instruction ID: 7cee481b00f565e2bd9e95f7daccee0cf3216557eb1173f6e1c8e0683ac51b54
Opcode Fuzzy Hash: e0e0173c5fcb6d7a1eea0f35aafdcceaf2981d496a2d9e9655c0adac54130d36
Instruction Fuzzy Hash: 93217C72400244EFDF178F44D9C0B55BF76FB48310F248599EE080A22AC337D4A6DB91

Function 0191EADF Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3292145795.000000000191D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3f4ac0631ff22dd56ccf4d2f47cf00efda065eea4add5a65fc2f6b0320be09
Instruction ID: 939022cdc1ddca8950aa37db4d997c618f5334cb42a44f6fcb9a77f9821dda47
Opcode Fuzzy Hash: fd3f4ac0631ff22dd56ccf4d2f47cf00efda065eea4add5a65fc2f6b0320be09
Instruction Fuzzy Hash: 8F219D76404244DFDF178F44C9C0B56BF72FB88314F2482A9ED090A26BC336D4A6DBA1

Function 0191D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3292145795.000000000191D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2827387dc1e470d8d9975cf56d2fc76ad361adfa7b5de47bce42b4d91147302
Instruction ID: a355543d45e5599eeffb0ae801a88e67d87e13a440cf4dd5af20e6b1054c7b43
Opcode Fuzzy Hash: b2827387dc1e470d8d9975cf56d2fc76ad361adfa7b5de47bce42b4d91147302
Instruction Fuzzy Hash: 3B219F755093848FDB03CF24D994715BFB1EB46214F28C5EAD8498F2A7C33A984ACB62

Function 0191E00F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3292145795.000000000191D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93416eaaf00bd0702c0b6fa44dd235a672ddfc8f4c0a9635f156f1dbe54bd484
Instruction ID: 3d831dbe1de4b89405b9fd276834a87e76e28f1660764e60b6e433772c2e75b7
Opcode Fuzzy Hash: 93416eaaf00bd0702c0b6fa44dd235a672ddfc8f4c0a9635f156f1dbe54bd484
Instruction Fuzzy Hash: BF218976404244EFCF16CF54CAC4B12BF62FB48314F24C6A8EE090A26AC337D8A6DB51

Function 0191E9E3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3292145795.000000000191D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0191D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_191d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac706478ed8e0b975fac9fbf98c0c10b3f55379ed33725949e2df8455e538a30
Instruction ID: 5967df773957334d48f0f641a1d15348745001d6579c73e8f6d47ecda5fd783c
Opcode Fuzzy Hash: ac706478ed8e0b975fac9fbf98c0c10b3f55379ed33725949e2df8455e538a30
Instruction Fuzzy Hash: D021A976400244DFCF02CF54D9C4B56BF62FB88314F28C6A9ED080A25AC336D466DB91

Function 0190D067 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3292080722.000000000190D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0190D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
Instruction ID: 9911d5c1883276bcd518b7ffbd17f87d75ed0cf6c8c38b3d5b764df2ae47ec87
Opcode Fuzzy Hash: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
Instruction Fuzzy Hash: 5E21D276404280DFDB07CF84D9C4B16BFB2FB88314F24C6A9D9480B256C33AD426CB91

Function 0190DA1D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3292080722.000000000190D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0190D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d355476485afd12ebd1d5e093e74428cffd52ebdeac93c6a418e40284b51da6
Instruction ID: 0e69e3d0bb4f774a287e11c298277e282dd0073ed1360f7dbb8050ef5566cf03
Opcode Fuzzy Hash: 0d355476485afd12ebd1d5e093e74428cffd52ebdeac93c6a418e40284b51da6
Instruction Fuzzy Hash: 3D01F7714093009EE7228AD9CC84B66BFDCEF46321F18C829ED0C0B2C6C2389980C6B1

Function 0190D85B Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3292080722.000000000190D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0190D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d172384ae7cc98de30e7509c869d75dfc37732d3a039c73cbb9122e2f1399b5
Instruction ID: 0e42255f931592802dcabed825e4721f3df022e4f70a93dd5397b27737fa618a
Opcode Fuzzy Hash: 8d172384ae7cc98de30e7509c869d75dfc37732d3a039c73cbb9122e2f1399b5
Instruction Fuzzy Hash: A701DA76100A00AFD7619F4AC944C23FBFAFF88720355895DE94A4BA61C772F851DF60

Function 0190D84C Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3292080722.000000000190D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0190D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11230be8ab20e56d5f2f5076d474af926c19fb6ab943879543b552eeb2a1b528
Instruction ID: fb6825683b75bd1635758d0a0deff3e931df0001329ba3d641014ae7053c3fac
Opcode Fuzzy Hash: 11230be8ab20e56d5f2f5076d474af926c19fb6ab943879543b552eeb2a1b528
Instruction Fuzzy Hash: 42010036104740AFD7228F55C940C62BFFAFF89620715888DE98A4BA62C231F812DF60

Function 0190DA1C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3292080722.000000000190D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0190D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda49ac766369c9cf75c63de144447fd175bcb392b0e49c23b83eb47ed114d1b
Instruction ID: 18cd2fc41560b0d12d5ca01633c4ad1f281c0c6a24c3e83bf44e811caf8575d0
Opcode Fuzzy Hash: bda49ac766369c9cf75c63de144447fd175bcb392b0e49c23b83eb47ed114d1b
Instruction Fuzzy Hash: B8F0C272008344AEE7218A4ACC84B62FFDCEF42325F18C45AED4C0B2C6C2799880CAB0

Function 0EC30FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3305150996.000000000EC30000.00000010.00000800.00020000.00000000.sdmp, Offset: 0EC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec30000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 4309248d1abd4d77f5161bf29fec903887e1a39d4926ffccfe2798276aa67707
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Function 0EC30FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3305150996.000000000EC30000.00000010.00000800.00020000.00000000.sdmp, Offset: 0EC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec30000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction ID: 4309248d1abd4d77f5161bf29fec903887e1a39d4926ffccfe2798276aa67707
Opcode Fuzzy Hash: 57ac055f077beea20eb1848ebeeb1978f180cdc0d061263d96475911880e5786
Instruction Fuzzy Hash:

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\down[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\errorPageStrings[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\ErrorPageTemplate[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\bullet[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\background_gradient[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\httpErrorPagesScripts[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\http_404_webOC[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\info_48[1]

C:\Users\user\AppData\Local\Temp\resources.xml

C:\Users\user\Desktop\cabal.exe

C:\Users\user\Desktop\main.dat

C:\Users\user\Desktop\mainEX.dat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Function 032906B4 Relevance: 1.5, APIs: 1, Instructions: 44
networkCOMMON

Function 03290EC0 Relevance: 1.5, APIs: 1, Instructions: 42
networkCOMMON