Windows Analysis Report
SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Analysis ID:	1428543
MD5:	37b1b265010213a6b399f256f0f30612
SHA1:	efb26dc10127cb575729fd19d308dad01e4d2484
SHA256:	5a3ef9e8a2ea282253a57ab68f75caa9144c606725e57a37b8cfe83cc63db191
Tags:	exe
Infos:

Detection

PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected PureLog Stealer

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to detect virtual machines (SGDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: juytlioojbni.duckdns.org	Virustotal: Detection: 9%	Perma Link
Source: http://juytlioojbni.duckdns.org	Virustotal: Detection: 9%	Perma Link
Source: http://juytlioojbni.duckdns.org/byfronbypass.html/css/mss/Zxbnbw.wav	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Virustotal: Detection: 67%			Perma Link
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	ReversingLabs: Detection: 73%

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: costura.dotnetzip.pdb.compressed source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.0000000002849000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1519184962.0000000005FB0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002F17000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Ogdadfffro.pdb source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2740615503.0000000004F10000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000003C86000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: q costura.dotnetzip.pdb.compressedt- source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.0000000002849000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1519184962.0000000005FB0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002F17000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: q costura.dotnetzip.pdb.compressed source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.00000000028E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 9a98cc62-c969-4918-a943-c0980aef1599<Module>costura.costura.dll.compressedcostura.dotnetzip.dll.compressedcostura.dotnetzip.pdb.compressedcostura.protobuf-net.dll.compressedOgdadfffro.g.resourcesaR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1518710524.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000004160000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1518710524.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000004160000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: q@costura.dotnetzip.pdb.compressed source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.0000000002849000.00000004.00000800.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_05F5D5A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 4x nop then jmp 05F8E694h	0_2_05F8E4D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 4x nop then jmp 05F8E694h	0_2_05F8E4C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 4x nop then jmp 05F8E1D4h	0_2_05F8DE58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 4x nop then jmp 05F8E1D4h	0_2_05F8DE48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_05F9F070
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_05F9F069
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 4x nop then jmp 05F90254h	0_2_05F90040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 4x nop then jmp 05F90254h	0_2_05F90006

Networking

Uses dynamic DNS services

Source: unknown	DNS query: name: juytlioojbni.duckdns.org
Source: unknown	DNS query: name: gerwgewg5.duckdns.org

Yara detected Generic Downloader

Source: Yara match

File source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, type: SAMPLE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.9:49708 -> 91.92.246.79:7702

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /byfronbypass.html/css/mss/Zxbnbw.wav HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: THEZONEBG THEZONEBG
Source: Joe Sandbox View	ASN Name: THEZONEBG THEZONEBG

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /byfronbypass.html/css/mss/Zxbnbw.wav HTTP/1.1Host: juytlioojbni.duckdns.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: juytlioojbni.duckdns.org

Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://juytlioojbni.duckdns.org
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://juytlioojbni.duckdns.org/byfronbypass.html/css/mss/Zxbnbw.wav
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.0000000002849000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1518710524.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000004160000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1518710524.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000004160000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1518710524.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000004160000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1518710524.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000004160000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000004160000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1518710524.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000004160000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05DCE910	0_2_05DCE910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05DC0040	0_2_05DC0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05DCB310	0_2_05DCB310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05DC05EF	0_2_05DC05EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05DCC509	0_2_05DCC509
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05DC0600	0_2_05DC0600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05DCB637	0_2_05DCB637
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05DC7E30	0_2_05DC7E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05DC7E21	0_2_05DC7E21
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05DC0007	0_2_05DC0007
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F5ED28	0_2_05F5ED28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F50040	0_2_05F50040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F50006	0_2_05F50006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F5471F	0_2_05F5471F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F8B618	0_2_05F8B618
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F8E88D	0_2_05F8E88D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F965F0	0_2_05F965F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F965E1	0_2_05F965E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F957A0	0_2_05F957A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F9579B	0_2_05F9579B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F90040	0_2_05F90040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F90006	0_2_05F90006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F9FB08	0_2_05F9FB08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F9FAF8	0_2_05F9FAF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_061BCF88	0_2_061BCF88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_061BEAD8	0_2_061BEAD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_061BC450	0_2_061BC450
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_00D61820	2_2_00D61820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_00D65230	2_2_00D65230
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_00D6DFF8	2_2_00D6DFF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_00D62088	2_2_00D62088
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_00D62078	2_2_00D62078
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_00D61810	2_2_00D61810
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_00D62AC9	2_2_00D62AC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_00D62A9E	2_2_00D62A9E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_00D61A24	2_2_00D61A24
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_00D65220	2_2_00D65220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_00D62B4D	2_2_00D62B4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_00D62B0F	2_2_00D62B0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_00D65630	2_2_00D65630
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_00D65620	2_2_00D65620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CAD790	2_2_04CAD790
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA0EDF	2_2_04CA0EDF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CAE7C0	2_2_04CAE7C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CADAB7	2_2_04CADAB7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_0523C758	2_2_0523C758
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_0545AD18	2_2_0545AD18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_05455D20	2_2_05455D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_0545A448	2_2_0545A448

PE / OLE file has an invalid certificate

Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.45b9d48.2.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.45b9d48.2.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.45b9d48.2.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.45b9d48.2.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.4569d28.5.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.4569d28.5.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, -.cs

Base64 encoded string: 'S7rl0eE9NpHzw+g1e7f/yup+WbDlwOkydLqt4uEkXa3i1/0Ra7DzyOY8YfjxwPAPXrb6ycoxdaatyvQPUa3z1PExdKri3L83fbfJ6eE+f7f+nsM1bJfv1eEWaqz77eU+fK/znuM1bJzYxOk1I4r4weEoV6Wt9+ExfJDi1+0+f/jXweBrf6bi+tQ/a6rizOs+I6Tz0dsTbbHkwOokXKz7xO0+I5Dz0cAxbKKtlL1nL/ut5Pcjfa70yf0DfbHgwPZrS6r71eg1WbDlwOkydLrT3fQ8d7Hz178yeaHzyfI9I7D7yu81bKbl0Q=='

Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.4569d28.5.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.45b9d48.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.45b9d48.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.4569d28.5.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.4569d28.5.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.4569d28.5.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.45b9d48.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.4569d28.5.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.45b9d48.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.4569d28.5.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.45b9d48.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.45b9d48.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@3/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.log

Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1519718378.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameKrlywvxlhvi.dll" vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1519184962.0000000005FB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002E53000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002CBF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002CBF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002CBF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAjzfgf.exe" vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000000.1469295223.0000000000850000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHisdlyynhw.exeJ vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1518710524.0000000005F00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1503824825.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.00000000028E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000004160000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.0000000002849000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.0000000002849000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.0000000002849000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2740615503.0000000004F10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameOgdadfffro.dll" vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000003C86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOgdadfffro.dll" vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2727483208.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOgdadfffro.dll" vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Binary or memory string: OriginalFilenameHisdlyynhw.exeJ vs SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Mutant created: \Sessions\1\BaseNamedObjects\b01a8e42f2056d5c

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, Program.cs	.Net Code: Main System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.45b9d48.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.45b9d48.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.45b9d48.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.4569d28.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.4569d28.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.4569d28.5.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.5dd0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.28e8ed8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.5190000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.4002d80.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.404ea98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.3bf14f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.4002d80.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.28e8ed8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.3d59950.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.3d31510.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe.28e68c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2724263812.0000000002849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2742555525.0000000005190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1517869320.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1505233889.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1505233889.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1508383675.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2727483208.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2724263812.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1508383675.0000000003D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe PID: 1292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe PID: 5292, type: MEMORYSTR

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05DC2782 push esp; iretd	0_2_05DC2783
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05DC37B5 push ecx; iretd	0_2_05DC37BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05DC1195 push esp; iretd	0_2_05DC1196
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F54BBF push esp; iretd	0_2_05F54BC5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F5562A push esp; iretd	0_2_05F5562B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F87E1A pushfd ; retn 05D1h	0_2_05F88081
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_05F80AB8 push ss; iretd	0_2_05F80ABA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 0_2_061A2982 push ss; iretd	0_2_061A2989
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_00D66A93 push esp; iretd	2_2_00D66A94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_00D634F8 push esp; iretd	2_2_00D63527
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_00D645F4 push esp; iretd	2_2_00D6461A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA9560 push ecx; ret	2_2_04CA956E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA76F4 push edx; ret	2_2_04CA76F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA5680 push ecx; ret	2_2_04CA568E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA76A4 push edx; ret	2_2_04CA76A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA7626 push ecx; ret	2_2_04CA762D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA7624 push ecx; ret	2_2_04CA7625
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA8796 push ss; iretd	2_2_04CA8799
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA8098 push edx; ret	2_2_04CA8099
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA30BF push ecx; ret	2_2_04CA30CE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA3140 push ecx; ret	2_2_04CA314E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA3108 push ecx; ret	2_2_04CA3116
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA711C push ecx; ret	2_2_04CA711D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA7110 push ecx; ret	2_2_04CA7111
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA82B2 push edx; ret	2_2_04CA82B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA93D0 push edx; ret	2_2_04CA93DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA938F push ecx; ret	2_2_04CA939E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA2F73 push 5504C303h; ret	2_2_04CA2F7E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA7868 push edx; ret	2_2_04CA7869
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA781D push esp; iretd	2_2_04CA781E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Code function: 2_2_04CA5ADC push edx; ret	2_2_04CA5ADD

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Memory allocated: E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Memory allocated: 1220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Memory allocated: 5B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Memory allocated: 6B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Memory allocated: D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Memory allocated: 27D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Memory allocated: 2650000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe TID: 6444	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe TID: 2028	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.0000000002849000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2722783640.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllallo
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1505233889.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000002.00000002.2724263812.0000000002849000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe, 00000000.00000002.1503824825.0000000000F93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe VolumeInformation	Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.92.246.15	juytlioojbni.duckdns.org	Bulgaria		34368	THEZONEBG	true
91.92.246.79	gerwgewg5.duckdns.org	Bulgaria		34368	THEZONEBG	true

ID:	1428543
Product:	CloudBasic
Start time:	07:21:15
Start date:	19.04.2024
Sample:	SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	37b1b265010213a6b399f256f0f30612
SHA1:	efb26dc10127cb575729fd19d308dad01e4d2484
SHA256:	5a3ef9e8a2ea282253a57ab68f75caa9144c606725e57a37b8cfe83cc63db191
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Windows Analysis Report SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Trojan.DownLoader46.57266.31234.98.exe