Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe
Analysis ID: 1417153
MD5: 30e4f51325061eadeea3ea7fab74f49f
SHA1: fcc4803fea93cd89b0ea8087182f5ea2cdce0310
SHA256: b7c8d99f15c3f0bd9bf9fe76a0965f226b2cbd74700404f0d351b867f81bbb18
Tags: exe
Infos:

Detection

Score: 36
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Snort IDS alert for network traffic
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Binary or memory string: -----BEGIN PUBLIC KEY-----
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: F:\Jenkins\WorkSpace\workspace\Common_Downloader\Branches\InstallWithoutUninstall\release\Setup.pdb source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2043421 ET MALWARE Tensorshare Google Analytics Checkin 192.168.2.8:49714 -> 172.253.63.101:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /csv HTTP/1.1Accept: */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)Host: ip-api.comCache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_00462620 libssh2_scp_recv,libssh2_session_last_errno, 0_2_00462620
Source: global traffic HTTP traffic detected: GET /csv HTTP/1.1Accept: */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)Host: ip-api.comCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: www.tenorshare.com
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://curl.haxx.se/docs/http-cookies.html#
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3848257048.00000000024B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dl.tenorshare.n
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://dl.tenorshare.net/AnyDataRecovery_any_x64.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://dl.tenorshare.net/AnyDataRecovery_net_x64.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://dl.tenorshare.net/AnyDataRecovery_ts_x64.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3846869320.000000000085E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000003.1396789765.0000000000891000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000003.1396789765.0000000000889000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dl.tenorshare.net/reibootforios_ts.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3846869320.000000000085E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000003.1405751267.00000000008CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dl.tenorshare.net/reibootforios_ts.exeP%
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://download.wondershare.com/cbs_down/drfone_recover_full3366.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3850896194.000000000509C000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3850954039.000000000587A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3849971543.00000000033E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/csv
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3849971543.00000000033E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/csvm.
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://update.tenorshare.cn/download/checkCross?cross_end_id=%s
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://update.tenorshare.com/queryDownloader?LanguageId=%d&SoftWareID=%d&SiteID=%d%s
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://update.tenorshare.com/queryDownloader?LanguageId=%d&SoftWareID=%d&SiteID=%d%s&package_type=2h
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3850954039.000000000587A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3849971543.000000000352B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.google-analytics.com/collect
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.google-analytics.com/collect&av=&an=&el=&ea=&t=event&ec=&cid=v=1&tid=
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3849971543.000000000352B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.google-analytics.com/collectB45F69C
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3846869320.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3848863163.0000000002545000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tenorshare.com/downloads/service/softwarelog.txt
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3846869320.00000000008E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.tenorshare.com/downloads/service/softwarelog.txtC
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.tenorshare.com/downloads/service/softwarelog.txthttp://ip-api.com/csvsuccess/QueryTools?L
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://analytics-test.afirstsoft.cn/collector
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://analytics-test.afirstsoft.cn/collectorurl:mac
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://analytics.afirstsoft.cn/collect
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3849971543.0000000003352000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://check.mobie.app
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: https://download.any-data-recovery.com/downloads/extra/AnyDataRecovery_any_x64.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: https://download.tenorshare.com/downloads/extra/AnyDataRecovery_ts_x64.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3848257048.00000000024B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.tenorshare.com/downloads/extra/reibootforio
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3846869320.000000000085E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3846869320.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000003.1396789765.0000000000891000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000003.1396789765.0000000000889000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3850954039.000000000587A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.tenorshare.com/downloads/extra/reibootforios_ts.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3846869320.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000003.1406924807.00000000008E6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000003.1405678764.00000000008E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.tenorshare.com/downloads/extra/reibootforios_ts.exe-U
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3846869320.00000000008E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.tenorshare.com/downloads/extra/reibootforios_ts.exe1000
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3850954039.000000000587A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.tenorshare.com/downloads/extra/reibootforios_ts.exea1
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3850954039.000000000587A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.tenorshare.com/downloads/extra/reibootforios_ts.exext
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3850954039.000000000587A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.tenorshare.com/downloads/extra/reibootforios_ts.exext=
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3850954039.0000000005790000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.tenorshare.com/downloads/extra/reibootforios_ts_64.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3850954039.0000000005790000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.tenorshare.com/downloads/extra/reibootforios_ts_64.exeN
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3848257048.00000000024B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.tenorshare.com/downloads/extra/reibootforiots0
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: https://download.tenorshare.net/downloads/extra/AnyDataRecovery_net_x64.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://integrated.tenorshare.com/api/v1/ticket/feedback
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://integrated.tenorshare.com/api/v1/ticket/feedback&subject=&version=&log_id=&content=&useremai
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://product-alert.afirstsoft.cn/api/exception/send
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://product-alert.afirstsoft.cn/api/exception/sendpid=%d&type=2&exception_code=Hash_Check_Fail_C
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://update.tenorshare.cn/download/checkCross?cross_end_id=%s
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://update.tenorshare.cn/queryDownloader?LanguageId=%d&SoftWareID=%d&SiteID=%d%s
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://update.tenorshare.com/download/checkCross?cross_end_id=%s
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://update.tenorshare.com/queryDownloader?LanguageId=%d&SoftWareID=%d&SiteID=%d%s
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://update.tenorshare.com/queryDownloader?LanguageId=1033&SoftWareID=%d&SiteID=1%s
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3846869320.00000000008E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://update.tenorshare.com/queryDownloader?LanguageId=1033&SoftWareID=141&SiteID=1&package_type=2
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3849971543.000000000352B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com/g/collect
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3850954039.000000000587A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com/g/collect?v=2&_ss=1&_c=1&sid=1677653616&cid=
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3850954039.000000000587A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com/g/collect?v=2&_ss=1&_c=1&sid=1677653616&cid=7FF20A0FECF4BB45F69C
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3850954039.0000000005790000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com/g/collect?v=2&_ss=1&_c=1&sid=1677653616&cid=7FF20A0FECF4BB45F69C&ti
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.google-analytics.com/g/collect?v=2&_ss=1&_c=1&sid=1677653616&cid=SoftDataReport
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3849971543.000000000352B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com/g/collectd.te
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3849971543.00000000033E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tenorshare.com/:
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3849971543.00000000033E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tenorshare.com/J
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3846869320.000000000085E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3849971543.000000000343A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tenorshare.com/downloads/service/softwarelog.txt
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3846869320.000000000085E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tenorshare.com/downloads/service/softwarelog.txt=
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_00474DE0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_00474DE0
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_005094D4 0_2_005094D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_005097B0 0_2_005097B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_004F5FB8 0_2_004F5FB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_004FE025 0_2_004FE025
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_0053C150 0_2_0053C150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_005E21E0 0_2_005E21E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_005F05F0 0_2_005F05F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_004FC7D0 0_2_004FC7D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_00466820 0_2_00466820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_00506AA3 0_2_00506AA3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_00432B50 0_2_00432B50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_005FCCF0 0_2_005FCCF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_0050504E 0_2_0050504E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_005E301A 0_2_005E301A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_006090CD 0_2_006090CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_004FB3DA 0_2_004FB3DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_004F145C 0_2_004F145C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_005E97DB 0_2_005E97DB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_00463870 0_2_00463870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_00467920 0_2_00467920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_005E9A0A 0_2_005E9A0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_005E9C39 0_2_005E9C39
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_004FBDCB 0_2_004FBDCB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_004F9E9E 0_2_004F9E9E
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: String function: 005CAC20 appears 36 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: String function: 0052A7A0 appears 40 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: String function: 005F7169 appears 55 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: String function: 0048BF00 appears 38 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: String function: 005CA540 appears 72 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: String function: 00465C70 appears 224 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: String function: 00555D20 appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: String function: 0053A000 appears 36 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: String function: 00485D60 appears 35 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: String function: 004A8EC0 appears 66 times
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: sensapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: globinputhost.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Section loaded: dhcpcsvc.dll Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: sus36.winEXE@1/1@3/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_00502C49 FindResourceW,LoadResource,FreeResource,SizeofResource,LockResource,FreeResource, 0_2_00502C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Mutant created: \Sessions\1\BaseNamedObjects\AFS_Downloader_141
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe File created: C:\Users\user\AppData\Local\Temp\reibootforios_ts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: id-cmc-addExtensions
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: set-addPolicy
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: Unable to complete request for channel-process-startup
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: /AddUserLog?USER_ID=
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe String found in binary or memory: /AddRegLog?USER_ID=
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe File opened: C:\Windows\SysWOW64\msftedit.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Static file information: File size 1932560 > 1048576
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x1b5200
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: F:\Jenkins\WorkSpace\workspace\Common_Downloader\Branches\InstallWithoutUninstall\release\Setup.pdb source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3843736405.0000000000401000.00000040.00000001.01000000.00000003.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_004D61F0 LoadLibraryW,GetProcAddress,GetSystemInfo,GetVersionExW,GetSystemMetrics,GetSystemMetrics, 0_2_004D61F0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_005CAC66 push ecx; ret 0_2_005CAC79
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_0045DDB0 push ecx; mov dword ptr [esp], ebx 0_2_0045DDB1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_005C9F6A push ecx; ret 0_2_005C9F7D
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Window / User API: threadDelayed 5855 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Window / User API: threadDelayed 4079 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe TID: 7468 Thread sleep time: -2927500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe TID: 7468 Thread sleep time: -2039500s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_004D61F0 LoadLibraryW,GetProcAddress,GetSystemInfo,GetVersionExW,GetSystemMetrics,GetSystemMetrics, 0_2_004D61F0
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3846869320.00000000008E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3849971543.0000000003389000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3849971543.000000000343A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe, 00000000.00000002.3849971543.00000000033E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_005E7470 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005E7470
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_004D61F0 LoadLibraryW,GetProcAddress,GetSystemInfo,GetVersionExW,GetSystemMetrics,GetSystemMetrics, 0_2_004D61F0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_005F9427 mov eax, dword ptr fs:[00000030h] 0_2_005F9427
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_005E7470 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005E7470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_005C9B35 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_005C9B35
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_004386C0 cpuid 0_2_004386C0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00608149
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: EnumSystemLocalesW, 0_2_005FF266
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: GetLocaleInfoW, 0_2_005FF730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00607811
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: EnumSystemLocalesW, 0_2_00607AD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: EnumSystemLocalesW, 0_2_00607A89
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: EnumSystemLocalesW, 0_2_00607B6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00607F75
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_005C8160 GetLocalTime,_swprintf_s, 0_2_005C8160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_004D61F0 LoadLibraryW,GetProcAddress,GetSystemInfo,GetVersionExW,GetSystemMetrics,GetSystemMetrics, 0_2_004D61F0
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe Code function: 0_2_0045B4B0 libssh2_channel_forward_listen_ex,libssh2_session_last_errno, 0_2_0045B4B0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417153 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 28/03/2024 Architecture: WINDOWS Score: 36 9 www.tenorshare.com 2->9 11 update.tenorshare.com 2->11 13 ip-api.com 2->13 17 Snort IDS alert for network traffic 2->17 6 SecuriteInfo.com.Trojan.GenericKD.72085429.24047.31308.exe 3 8 2->6         started        signatures3 process4 dnsIp5 15 ip-api.com 208.95.112.1, 49712, 80 TUT-ASUS United States 6->15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false

Contacted Domains

Name IP Active
ip-api.com 208.95.112.1 true
www.tenorshare.com unknown unknown
update.tenorshare.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ip-api.com/csv false
    		high