Windows Analysis Report
SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe

Overview

General Information

Sample name: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe
Analysis ID: 1429052
MD5: f7d7be5fd53c6039738f1a37c0f3760d
SHA1: 4a9d6c31cf6773c39fa11b81d63bc4f065268a5e
SHA256: 551f5a7d2d13c1b63e57b8f4f41913804eff899600bba169cd693021bf468fa4
Tags: exe
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 30
Range: 0 - 100

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
EXE planting / hijacking vulnerabilities found
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe ReversingLabs: Detection: 13%
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Virustotal: Detection: 7% Perma Link
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe EXE: C:\Users\user\Desktop\Update\krenmain.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe EXE: C:\Users\user\Desktop\krenmain.exe Jump to behavior

Compliance
barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe EXE: C:\Users\user\Desktop\Update\krenmain.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe EXE: C:\Users\user\Desktop\krenmain.exe Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Static PE information: certificate valid
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00409714 FindFirstFileW,FindClose, 0_2_00409714
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_004091AC GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 0_2_004091AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_004142B4 FindFirstFileW,FindClose, 0_2_004142B4

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2814410 ETPRO TROJAN Win32/TrojanDownloader.Banload.WPF Retrieving Payload 192.168.2.6:49714 -> 210.181.31.83:80
Source: Traffic Snort IDS: 2812101 ETPRO TROJAN Win32/TrojanDownloader.Banload.TXV Receiving compressed PE 210.181.31.83:80 -> 192.168.2.6:49714
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 20 Apr 2024 10:27:10 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fipsLast-Modified: Fri, 08 Jul 2016 01:24:28 GMTETag: "65c00-53715a9e8cb00"Accept-Ranges: bytesContent-Length: 416768Content-Type: application/octet-streamData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 fb 21 6a 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 44 2d 5f 52 00 00 00 00 00 00 00 00 e0 00 0e 23 0b 01 05 00 00 d0 04 00 00 a0 01 00 00 00 00 00 fc 10 00 00 00 10 00 00 00 e0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 04 00 00 00 04 00 00 00 00 00 00 00 00 00 07 00 00 06 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 a0 06 00 ed 00 00 00 00 90 06 00 40 0b 00 00 00 b0 06 00 90 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 00 38 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 d0 04 00 00 10 00 00 00 cc 04 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 00 a0 01 00 00 e0 04 00 00 3a 01 00 00 d2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 00 10 00 00 00 80 06 00 00 02 00 00 00 0c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 00 10 00 00 00 90 06 00 00 0c 00 00 00 0e 06 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 20 Apr 2024 10:27:52 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fipsLast-Modified: Thu, 18 Apr 2024 04:53:11 GMTETag: "186a900-61657bf80b83b"Accept-Ranges: bytesContent-Length: 25602304Content-Type: application/octet-streamData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c8 a6 20 66 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 10 85 01 00 80 01 00 00 90 80 03 10 9f 05 05 00 a0 80 03 00 b0 05 05 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 30 07 05 00 10 00 00 8f 10 87 01 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 23 07 05 a4 05 00 00 00 b0 05 05 98 73 01 00 00 00 00 00 00 00 00 00 00 80 86 01 00 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc a0 05 05 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 63 01 a6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 90 80 03 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 10 85 01 00 a0 80 03 00 02 85 01 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 80 01 00 00 b0 05 05 00 7a 01 00 00 06 85 01 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 20 Apr 2024 10:29:11 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fipsLast-Modified: Tue, 25 Oct 2016 03:41:38 GMTETag: "204c0-53fa849288080"Accept-Ranges: bytesContent-Length: 132288Content-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7c 84 d7 31 38 e5 b9 62 38 e5 b9 62 38 e5 b9 62 2b ed d0 62 3a e5 b9 62 b6 f2 d9 62 3a e5 b9 62 b6 f2 b6 62 2f e5 b9 62 bb ed e4 62 3d e5 b9 62 38 e5 b8 62 5e e5 b9 62 b6 f2 e6 62 bb e5 b9 62 b6 f2 e5 62 39 e5 b9 62 b6 f2 e3 62 39 e5 b9 62 52 69 63 68 38 e5 b9 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 b7 2f a5 4d 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 07 0a 00 30 01 00 00 d0 00 00 00 00 00 00 1f c7 00 00 00 10 00 00 00 40 01 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 10 02 00 00 10 00 00 50 bb 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 85 01 00 c6 01 00 00 a8 7e 01 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 01 00 c0 14 00 00 00 f0 01 00 94 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 7e 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0e 2e 01 00 00 10 00 00 00 30 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a6 47 00 00 00 40 01 00 00 50 00 00 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 24 59 00 00 00 90 01 00 00 40 00 00 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 b6 1b 00 00 00 f0 01 00 00 20 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 20 Apr 2024 10:29:15 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fipsLast-Modified: Mon, 24 Jan 2022 05:27:27 GMTETag: "4ccc8-5d64d39606dc0"Accept-Ranges: bytesContent-Length: 314568Content-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4e b4 0b 71 0a d5 65 22 0a d5 65 22 0a d5 65 22 2d 13 08 22 03 d5 65 22 b7 9a f3 22 08 d5 65 22 03 ad f0 22 17 d5 65 22 03 ad e6 22 a7 d5 65 22 03 ad e1 22 86 d5 65 22 14 87 e1 22 09 d5 65 22 2d 13 1e 22 13 d5 65 22 0a d5 64 22 3d d7 65 22 03 ad ef 22 16 d5 65 22 03 ad f7 22 0b d5 65 22 14 87 f1 22 0b d5 65 22 03 ad f4 22 0b d5 65 22 52 69 63 68 0a d5 65 22 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 dd 6c 53 59 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 00 2c 03 00 00 82 01 00 00 00 00 00 e6 b8 01 00 00 10 00 00 00 40 03 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 05 00 00 04 00 00 89 ef 04 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 e8 03 00 0a 01 00 00 04 cf 03 00 dc 00 00 00 00 50 04 00 c4 33 00 00 00 00 00 00 00 00 00 00 00 b2 04 00 c8 1a 00 00 00 90 04 00 f0 30 00 00 80 45 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 8f 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 03 00 dc 04 00 00 7c ce 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 55 2a 03 00 00 10 00 00 00 2c 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4a a9 00 00 00 40 03 00 00 aa 00 00 00 30 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 5f 00 00 00 f0 03 00 00 24 00 00 00 da 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c4 33 00 00 00 50 04 00 00 34 00 00 00 fe 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c2 7f 00 00 00 90 04 00 00 80 00 00 00 32 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /NewDown/VersionInfo.Ini HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/DelZip190.dll HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/Ziped/krenmain.exe.zip HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/Ziped/krenmain.exe.zip HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/UnZiped/krenmain.exe HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/Ziped/Config/coldef.ini.zip HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/UnZiped/Config/coldef.ini HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/Ziped/Config/coldef2.ini.zip HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/UnZiped/Config/coldef2.ini HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/Ziped/Config/coldef3.ini.zip HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/UnZiped/Config/coldef3.ini HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/Ziped/openfaxCLIB.dll.zip HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/UnZiped/openfaxCLIB.dll HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/Ziped/KTPSock.dll.zip HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/UnZiped/KTPSock.dll HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 20 Apr 2024 10:27:16 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fipsLast-Modified: Thu, 18 Apr 2024 04:53:05 GMTETag: "17dd9d3-61657bf28a942"Accept-Ranges: bytesContent-Length: 25024979Content-Type: application/zipData Raw: 50 4b 03 04 14 00 02 00 08 00 9b 6e 92 58 d1 ec d8 d1 59 d9 7d 01 00 a9 86 01 0c 00 00 00 6b 72 65 6e 6d 61 69 6e 2e 65 78 65 ec fd 67 50 53 6f f8 fe 8b a6 27 84 40 02 84 de 02 d2 7b 93 5e 42 2f 52 42 ef bd 05 69 11 12 40 69 81 80 10 22 8a bd a1 82 15 15 05 15 01 41 21 14 01 15 95 26 04 69 41 f9 2a 18 10 54 84 28 25 47 7e 7b ff f7 99 b3 f7 cc 39 fb d5 99 f3 e2 dc 33 99 cf 9a 95 7b ad 5c cf 75 df cf b3 d6 7a 91 59 1e 21 04 00 08 00 00 40 00 68 00 8f 07 00 b4 02 fe b7 c0 03 a4 00 ff 1f 03 08 00 b4 61 00 82 f2 4d 7c 6f 15 5a 81 ee 6f 15 aa aa fc 88 49 99 38 52 46 7a 62 46 74 2a 2e 95 92 49 c6 c5 c4 e3 32 28 69 38 4a 5a 5c 7c 06 2e 30 29 cd d0 40 00 a9 64 02 f8 ff 91 20 38 02 00 ee 40 30 60 e0 36 2e e1 7f ed 63 03 4e 14 f1 03 41 92 00 4c 29 10 40 fd 37 c8 2a 2a 18 73 0d 0a 05 d4 50 c1 80 c6 7f fc e7 0e 00 f3 2f f1 9f 71 d0 ff fd 98 ff 45 80 1e 1c ba f7 dd 09 4c 19 10 f4 3f 3b 30 ff 93 fe 3f c4 00 fe d7 9e ff 23 2e ec 83 43 6f ee 1d fc ef bc 17 32 81 ff cf 2f a8 47 81 00 f5 ff cf fa 9f d7 40 a1 12 ff ef 12 f0 b1 c0 db e0 ff eb 6e 7f 42 90 de ff 6c fc 1b db ff 21 08 f2 ff 9a 43 fd 67 c5 bf 3c fd ff 4d f4 3f 2f f6 c6 0f fa c7 ff 53 de bf e1 b1 75 32 32 33 62 ff e7 20 e0 ff 8c 05 70 e4 1f 61 a5 c0 ff 53 1e 13 f0 ff 8f ff 6f 85 a1 8e 99 fe 5e 9d 15 04 f8 10 d0 db c3 4f 47 db ed ae 74 ea 1f 81 42 61 bc 12 20 c0 08 04 15 fb 97 d3 99 bd cb 83 60 f0 00 30 dc 2e 3d 3d 25 3e 3a 0d 08 e0 d3 80 3a 45 f3 36 79 bc 94 cc 78 88 5f 06 25 1e e6 7b 38 93 1c 9f 0a 02 30 98 46 06 20 84 6d 5a 66 92 3d 71 f3 69 d6 5c 74 46 20 0f 66 54 a9 43 30 e6 83 e8 f2 ae 9d 3e 00 e6 11 81 08 5f 62 7a 06 d9 35 8d 9c fc 24 7a 0a 40 d5 e3 15 26 96 98 a4 8e a7 18 ef fa 27 4c 81 cc 4c 6a e0 5a f1 89 f1 19 90 0b cf 92 57 63 cc 8c 5a 75 21 76 87 79 85 31 2b 97 87 74 03 07 e3 78 8b 58 00 fe 37 7c b0 a0 73 95 90 9e 74 2a 03 10 5a b5 bd 6a 1f 1d a0 31 b7 d1 3e b1 01 8d 04 44 4a 08 c1 30 d0 ef c6 46 01 1d 69 99 ba 3f 80 85 36 a6 30 ff d9 9e 37 e3 b6 87 8b 9c 82 ac 21 d9 57 6a 25 13 1a 13 eb 26 88 f2 08 c7 1c 23 5e 47 fa df 7f 2b 4f 1c a8 2c cf d9 21 9d 12 03 5c 0d 7d f4 f3 18 c4 07 91 02 b4 a9 96 cf de ca fe 63 9f 9e 4a 02 d7 97 d9 53 32 32 ca 63 0f 43 54 73 37 cb de 33 a1 fc 0d be e4 8c e9 bf 63 2a 5b 30 fb 1f 58 3e 82 ad de 60 e0 b2 ae a9 8b aa 69 60 12 48 d7 1d 22 ac b7 4e 6a dd 45 24 c2 41 af 96 b3 8b 3f 03 84 81 55 46 91 ee e9 2c 49 3b d8 52 24 44 2f 6e 8d 62 ca 15 86 65 5a 99 90 e5 f8 91 86 5c 99 64 01 5f d5 72 24 32 5e f5 c4 c6 84 a2 6d b5 0a 0a 1e 10 2d 17 ad dd a4 df 93 56 55 2f 8f f4 0a 52 4e 63 ca 59 6c f1 44 60 7e f6 29 d1 99 99 2e 32 62 aa 63 c2 89 15 9d 07 76 5d 7c 1c 7d fd dd fd 96 75 b0 50 82 f3 c1 c5 b4 66 b6 c3 b6 f0 66 0e 4c 10 ea a7 8a e1 99 92 6b 4f c4 73 4d 3d 40 0e fa 03 03 03 c9 84 41 29 88 01 6c a7 e3 c9 aa
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 20 Apr 2024 10:29:05 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fipsLast-Modified: Wed, 21 Feb 2024 07:48:40 GMTETag: "2149-611df8e212e42"Accept-Ranges: bytesContent-Length: 8521Content-Type: application/zipData Raw: 50 4b 03 04 14 00 02 00 08 00 c2 6b 46 58 7b 3d c3 47 d3 20 00 00 40 ad 02 00 0a 00 00 00 63 6f 6c 64 65 66 2e 69 6e 69 ed 5d ed 6f dc c6 99 ff ac 02 fd 1f f8 d1 4e d9 58 7c d1 5a 72 21 03 8e 73 cd e5 ae 49 0a 37 2d 70 08 02 a1 48 5c 5c 70 6e 5d 24 ce 87 fe 39 b2 d3 1e 9a c4 ca 6e a5 f5 72 57 2b 2d 57 2b 69 d5 9e cf 4a 5a d7 6e 5d c7 4e dc c6 6e a1 b8 a8 eb 46 52 af 46 71 33 43 0e 5f 76 49 2e 5f 66 86 43 72 d2 c2 e2 92 bb 33 7c e6 f7 cc 33 cf eb cc d7 e6 c9 fe f7 e5 2f 7d 4d 6a dc 34 96 9a 9f 49 9b 83 d6 b2 34 bc 69 3c 02 f7 c8 f7 32 e8 6e fd 14 fc e9 3c aa 1f d6 97 7b 3f ed 5c 03 1f 8c ad 76 7d f5 f1 d6 86 84 ff 9b 3f 09 3f 82 27 e6 93 ee ef cc 5d 49 f2 3c d9 59 32 e1 6f cc 75 e3 4f cd 9e ef 89 75 cb 58 b2 5b dc fe 60 63 51 92 8e a8 d3 ca ec d3 d3 b5 a7 a7 8f 4b 83 bb f5 c5 a3 e0 69 ff 46 ef 0f cb ab bd 3d f0 2b f8 2a 1f f8 da 81 2d 5d fc 35 b8 5f df 6a 2d 36 8c ce 87 9e fb f0 a3 dd 7a 7f bd f5 77 78 f9 27 f3 1f 8a fd 57 b5 ff 6a f0 c7 c3 76 dd 78 08 2e 9a bd 63 8d 7b 5b 86 b7 f5 66 0f 8e c3 3f c7 ee 0f fe 09 ee ef 5c 42 f7 51 2f c6 56 7d 11 be a0 d1 ff a2 f1 31 b8 e8 fd bd db 85 a4 5f 31 6f a1 cf f5 c3 c6 1d 34 48 bd 3d f0 67 7d 7b 7b 73 7b c9 78 e8 69 71 e5 76 7f df 7e 0b 34 e6 b8 e7 c1 47 a8 af ce a3 9d 4b e0 4f fb fe f0 de c8 00 0c ef 81 fb ad bd ee fe c8 fd d6 1e a2 6d f0 c9 f2 bd 66 13 5c 0e fb c6 52 fb ea ba ff 6b 13 ff 9b 3f 29 7d d3 1e 23 38 8c 9e fb f6 a8 a2 d1 03 23 e9 79 02 6f 81 27 5b 7f e8 ef 5b ec 83 06 38 a4 f5 de c5 6e cf 1c 4a 0e 08 0d a3 f7 2e ba e8 b5 57 1f c3 51 73 1a 9f 3f 09 6f 81 27 ab 0f d6 0f 56 6e d7 ff 08 2e bb 8d fe 3b 6b 83 fa e1 ea 03 a7 45 eb a3 dd 40 b7 bb e2 8e cc fc 49 eb 23 78 b6 36 dc fa c2 bc d5 79 84 08 d8 fe 2b fc f6 fb b0 23 7b c8 86 bf 47 68 f6 0e 47 c6 75 fe a4 82 86 75 eb 8b b1 07 2a 7a b0 fe 33 63 c9 f7 68 fe a4 86 1e 6c 1f b4 f6 cc ab ab 8f 3d 0f 74 f4 a0 bf 3f dc 3d d6 df 47 84 81 81 18 ae 75 b6 6e 59 f4 a3 0f bd bd 66 d3 f9 05 fc 80 46 74 b8 bf 7e d0 5f 87 43 f1 b8 be 68 73 3a bc 34 af f7 dd ae d1 48 b5 df 5b 1b c2 bb 90 99 ee 0e 9a b0 05 c5 73 ad a2 e6 56 1f 23 e6 42 20 df b0 3b b1 7e ea 41 16 4c 74 74 cb ee 6a 04 73 78 0b 4d d7 ad c1 c8 13 78 cb e6 86 23 fd fd ce 87 47 9d 27 36 83 c0 9b 68 86 98 9f d9 6f 3a 7c 82 24 0a bc 83 2f c1 ab 75 3e 44 0c 37 b8 58 7f e8 dc 1d 7c d2 30 fa 57 d0 ac 69 6d a0 09 53 87 63 d7 3d 68 df b2 db 82 97 ed 7a 7d e8 70 ef fc 49 fc 11 b6 b0 b2 36 1c 01 12 de 82 7c d8 b9 f2 37 bb 9b ce 23 38 cd 57 1f 0c 6f c2 77 db b7 07 68 65 6f f8 63 30 65 21 0b c1 3b fd fd de bb 8a e7 1a 8e 6c ff e2 f0 a3 66 b3 75 cd 3b 1a 17 d1 8f cd 5f ad ec 75 ae f9 04 16 bc e5 41 06 36 f5 f3 ee d0 7a 3a 35 e5 4e 16 e9 84 84 f9 44 76 ae 3a 1f ae 3f 68 0c c1 e7 43 c4 54 cd 3f b7 76 2d 59 3c 05 85 18 f8 e4 6f c0 f8 4b f3 81 64 2c ad 75 b6 97
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 20 Apr 2024 10:29:08 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fipsLast-Modified: Wed, 05 Sep 2018 07:19:09 GMTETag: "7af-5751a9725f540"Accept-Ranges: bytesContent-Length: 1967Content-Type: application/zipData Raw: 50 4b 03 04 14 00 02 00 08 00 bc 7e 23 4d ae 46 1f 1c 37 07 00 00 69 6f 00 00 0b 00 00 00 63 6f 6c 64 65 66 32 2e 69 6e 69 dd 9c 51 6b db 56 14 c7 df 07 fb 0e 7e 6c 3b 41 2d e9 5e 35 26 f4 65 0c ca f6 b0 c1 60 4f 63 e4 61 b0 a7 41 21 b0 0f 14 d6 31 08 59 6a 2f f6 2c 27 6e 24 c7 b1 dd 41 59 36 36 3a e8 d6 6d 14 3a 28 5e 61 25 d4 4d 59 09 b3 14 db 11 d7 92 75 cf 3d f7 5c b9 c9 43 a2 c6 e5 fc cf 91 ae ee ff a7 ab 7b b2 7a 9d fe eb cd 37 56 4b 9d 5b bb be df 29 1d 76 9b 3b 9d 5b e1 a0 74 29 3c 6a 3d f4 ff 6d 3c be 3c fe d4 48 0e 1f df f8 f0 dd 77 d6 de fb e8 fd 1b 6f 7f f0 89 29 d1 55 bf e7 f7 ac 92 df 6b 55 3b fb cd 97 a5 fa ef e1 51 bb d6 eb 9a d2 b7 d7 ae 5c 59 2b db d7 a3 04 f6 8e 7b 07 56 f8 2a 18 5a e1 be ff a4 11 58 fb fd fe 61 7f db 7f 6a 8d 8f bb a7 57 bb 3f 75 4f ad 28 df ea 86 b5 eb 77 9e d7 1e 5a c1 cb 76 db 6a 0e db 23 2b 0a d0 bf 7d b0 61 ed 1d df fd 72 1c e5 ee 37 ad 93 f8 a0 fd 5b 78 34 d5 71 c0 3a 83 8e bf dd ba b7 3f 02 88 b8 86 8a 61 26 8a e1 e9 22 41 38 18 dc d9 ed 3d c8 2d a7 fa ca df de 7d 26 08 06 df b7 07 3b 7b c1 e6 42 65 4f 41 79 56 a0 ba ec b5 74 d9 a9 d0 24 e2 5c 9d 52 27 73 25 11 fb 2c 6c 2c a1 25 76 85 2e b6 5d 9e 8b 5d 1f 76 46 fe 93 f0 3f ab 3a e8 fe 15 1f 74 46 83 a3 ab 9d d1 de 31 4e ca 06 49 05 27 b1 58 ef 79 fc 63 ff 5b 7f 3b 3e e8 bf 68 0e c3 7b e3 cf 55 b3 70 96 22 8b c4 44 32 53 0d b6 e2 1f b3 74 26 e9 e9 49 46 e6 06 b1 d9 e2 81 a6 5a 2c 9f 0f fb f5 e1 46 ca 79 ef fe d9 6d 04 c3 46 03 ad e8 65 14 32 8d af 1a 37 71 97 8b 97 a9 3e 1c 7c 35 fe cd 33 2b 12 e8 8c 82 4d 7b 76 e4 28 eb 55 92 c3 e4 cc c6 ad a0 b5 77 5c 3d a9 fd 31 39 75 ad 6a 32 8b 9a 1f 6c 9e 4d 9f d1 7f 6b b7 eb 89 1b 56 46 d1 29 ab 0c cc f6 8b d6 83 56 b5 3a 88 f3 ab d6 ef 0c d4 67 09 c7 96 1d 2c 48 1d 47 56 07 33 e7 39 ae ac ca f9 c9 54 95 62 e9 52 09 83 8b ef 01 d5 f0 79 37 f1 54 a4 7b 5a 7d aa 20 62 08 89 c7 72 ed 02 91 d8 11 91 38 ba 91 73 11 6f 72 1a 65 c8 ce 11 59 58 4e e0 f6 f8 1f 13 95 d6 df 83 47 00 29 97 ba 16 66 ae 16 10 10 4f 24 54 68 d4 81 43 30 5a 2d 87 7d c1 97 65 45 73 bc 8a de 78 8b b8 36 8e 1f 47 9a 44 95 0a 68 4b 40 38 24 9e a3 39 9e 2b 75 02 27 03 08 34 76 f2 b0 70 46 55 90 74 33 ec 24 1b 05 21 c1 3d 82 84 57 b2 fc 6f 01 f6 41 e2 9b 44 3d 47 2f ea 01 ca 04 e3 1d 24 36 0c e9 20 91 a5 31 ee d3 2f d6 d7 d7 3e fb fc e6 cd f5 c4 39 83 28 49 52 1c 24 24 88 dc e4 02 1b a2 b5 18 1c 8b a3 35 17 43 6b d2 2b 7e 2e 1a d9 62 29 69 d6 71 31 dc 06 ac 8a 19 ae 0a 41 70 29 95 e5 98 a3 8b c5 38 55 49 99 75 4c c0 a3 97 2b bd 80 09 0e 5a 21 08 0a 42 3b f9 a8 36 45 aa 0e 45 50 39 d2 4b 2e d1 83 86 17 14 f7 e4 13 cf 35 a2 0c e6 93 57 f0 a8 52 47 d0 9f bc 88 49 04 74 49 10 50 ba 56 55 0e 94 17 50 82 41 f9 f0 5a 88 50 5e 0e 86 85 f2 71 55 d8 70 89 96 f3 82 ad 42 01 91 19 01 44 66 18 10 99 11 40 6
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 20 Apr 2024 10:29:09 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fipsLast-Modified: Wed, 05 Sep 2018 07:19:09 GMTETag: "5d3-5751a9725f540"Accept-Ranges: bytesContent-Length: 1491Content-Type: application/zipData Raw: 50 4b 03 04 14 00 02 00 08 00 dd 7e 23 4d fa 07 37 83 5b 05 00 00 53 52 00 00 0b 00 00 00 63 6f 6c 64 65 66 33 2e 69 6e 69 e5 9a cf 6f 1b 45 14 c7 ef 48 fc 0f 7b 6c 8b 0f 9e 99 b7 9b 5d 45 be 20 a4 0a 0e 20 21 71 42 28 7f 9b d5 a2 5e 42 59 ab 89 bc 4e 4c bc 26 b1 dd 13 41 42 02 a9 94 8a 0b 87 2a 54 2a 54 94 56 70 c0 5e 6c a7 de 5f f3 de cc 9b 4d 0c 39 24 96 9d f7 79 6f 67 67 bf df e7 99 d9 ed b8 ff 79 fb ad 5d 6f 7c f7 28 49 c6 de d9 69 ff c1 f8 6e 3a bb 11 df 99 3e 4b 9e 1f fe 72 73 fe 61 23 25 7c 7a fb e3 f7 df db fb e0 93 0f 6f bf fb d1 67 4d 25 dd 4d 26 c9 a4 e5 25 93 41 3c 3e e9 bf f6 0e 1e a7 e7 c3 de e4 b4 a9 fc 62 ef d6 ad bd b6 e8 c4 af 7a 4f 5a e9 df a3 8b 56 7a 92 3c 3d 1c b5 4e a6 d3 b3 e9 fd e4 59 6b 51 60 dc 6d 2d 2a 9c 7e f9 75 b7 75 fc e2 e1 9d f9 7f 3e fc 62 f0 2a 7b 31 fc 31 3d 5f 71 64 27 1f 9d 21 29 08 c5 54 0a d8 97 e2 17 4b 19 a5 b3 d9 57 47 93 47 c4 62 82 4e 31 9e 5c ce ce 0a 92 45 f6 2f 86 2f 2f e3 96 9c ba f0 d0 2e 3c b2 0a 17 ed 55 f8 c1 c5 f8 65 f2 34 fd 8b 14 2d ac a2 a5 55 b4 b2 8a 86 8d 61 23 dc 6e e1 97 e4 c5 47 07 c6 79 c3 42 de e9 ef 07 8f e3 2e 09 b2 9e 2d f1 ec 5f 61 33 ba 0a d9 b6 19 03 29 ac a2 a5 55 b4 b2 8a 36 9e 35 d2 74 d6 34 e4 76 f3 74 c3 2b 74 3b a9 75 bb a3 64 fc 47 ef 27 dd 68 c9 3a b7 a3 20 14 53 29 60 5f 4a bd db 51 48 95 6e 47 81 d4 b9 dd 92 53 17 1e da 85 47 56 e1 97 6e 67 16 2e ec c2 a5 5d b8 b2 0b df d4 2e c2 2d bf 74 bc 78 76 fa 73 a6 5d 94 e8 c0 38 6f d1 f1 28 d1 d6 56 27 37 ad 6e f8 e7 e0 d1 20 8e 67 19 ca 64 24 4a 7c cf 08 23 79 30 8a 07 63 3c ad 4a 2c 91 58 40 43 de 38 7a 7d a5 de a8 b0 de 98 d5 a9 19 32 85 30 48 3c 47 71 16 05 4c 45 a1 fc 12 8f d3 99 26 9e 84 70 ce 0c 56 c7 08 19 18 91 3d 03 63 a4 5a 86 60 60 48 06 86 62 60 94 aa 20 7a 6a 54 3b 2c 1e 11 d8 55 50 e9 b5 78 84 de 70 d1 2c a4 eb e2 79 7a eb c5 b3 24 23 4b 31 b2 ec e6 20 c2 8e 31 ac a6 3c 79 ff 4a 3d 19 38 3d 19 98 3c 19 38 3d 19 98 3c 19 78 3d 19 d8 3c 19 18 3c 19 18 3c 19 18 3c 19 18 3c 19 18 3c 19 18 3c 19 18 3c 19 ec 3c 19 ec 3d 19 ec 3c 19 ec 3d 19 18 3d 19 98 3d 19 18 3d 19 18 3d 19 18 3d 19 ec 3c 19 b6 cf 93 17 13 ca 7b c7 4b bf 3b b8 b8 42 6b f6 57 d6 3c e9 77 7b c9 d1 b7 2d ed b6 25 61 24 fd a5 55 af e1 75 7b 99 64 ae 72 59 34 38 2a da af 29 ba b8 2b 4b c6 07 85 b2 2b b6 6a c9 e4 9d 02 b9 7a 07 55 6f 39 fe b2 15 e0 67 46 fc cc 79 ab 90 67 56 6e a2 62 91 82 1f 29 f9 91 8a 1f 09 e5 f7 a7 74 8d f9 4d 66 05 ce af ab d0 68 a6 8b a0 b6 42 32 2e ac ae 70 73 47 9a 4c 2e 4e 75 d3 b5 7b 7f d9 b1 70 8f a5 14 fc 48 c9 8f 54 fc 48 60 9d 44 92 75 9a ff af 1a 9c 00 df e0 10 86 30 40 75 36 64 a0 72 52 26 70 97 89 6c 62 c8 5c 7d f7 42 46 a2 da 16 bd 77 05 f8 7e 05 0b 8b 18 61 25 1d 8a 05 4c 70 c2 24 27 4c 71 c2 2a 24 9a 3a c5 4a 5a 10 93 6f 9d 41 5d ef 41 e6 d4 34 1d 64 16 a1 c
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 20 Apr 2024 10:29:10 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fipsLast-Modified: Tue, 25 Oct 2016 03:41:38 GMTETag: "fdad-53fa849288080"Accept-Ranges: bytesContent-Length: 64941Content-Type: application/zipData Raw: 50 4b 03 04 14 00 02 00 08 00 91 81 8d 3e d9 20 f8 c3 2d fd 00 00 c0 04 02 00 0f 00 00 00 6f 70 65 6e 66 61 78 43 4c 49 42 2e 64 6c 6c ec 5c 7d 70 54 55 96 7f 1d 3a f0 20 0f fa 39 3e b5 77 6c 67 da ad b7 bb 6d 19 31 d6 eb da 45 12 ab 1a 88 d2 33 9b 59 5f 87 90 84 21 7c 88 80 0f 86 8f 86 e9 f6 a3 2a 52 b0 9d 6c e5 e5 12 97 da 62 b6 b0 4a aa 74 27 63 65 77 99 5a fe 80 2c 8e 8b 93 36 2c 11 3f 10 48 21 02 a2 8e ee 38 2f 06 d1 24 13 be 84 f4 9e 73 ef 7d 1f 9d 2f 99 d9 d9 a9 19 27 af b4 df d7 bd e7 dc f3 bb bf 7b ee 39 a7 3b 7c ef fb 3b 84 49 82 20 f8 e1 ff 5c 4e 10 0e 08 ec 88 09 5f 7d 7c 01 ff cf f8 f6 cf 66 08 fb a6 be 75 e7 01 5f c5 5b 77 56 19 6b 7e 18 4e 6e de f8 d8 e6 47 d6 87 1f 7d 64 c3 86 8d a9 f0 8a 55 e1 cd e9 0d e1 35 1b c2 e5 0f 2f 08 af df b8 72 d5 cc e9 d3 a7 a9 5c 46 7d c3 a9 fb 66 fd f2 a5 15 f6 ff 77 7f 76 6c c5 6c 38 b7 f7 9f e6 e7 f6 15 f7 c2 f9 e5 cf fe 67 c5 03 b4 cd 81 15 4b e9 f3 4f 56 bc 4c cf bf 5c 71 3f 3d 7f 4c cf 95 6b 1e 35 50 ce 58 63 d6 1f 14 84 0a 9f 5f f8 cf 7b 7f f2 3d fb d9 87 c2 8c 3b 8b 7c 53 a6 09 25 3e 41 38 c6 9e 7d bb 0b 3e 64 04 c2 27 d0 2b 99 dd fb 79 1f fb 2c c8 05 f4 b9 fe 72 81 50 c0 1e b0 7e ce 99 9d 3e 6c f4 09 87 41 54 db 16 9f 50 36 2a 98 3e a1 43 61 e7 9d ca 57 63 1f 07 39 79 73 04 e3 4c fa c6 6e 3f 33 b5 ea c9 14 ce d7 4c 1f 1b 50 89 cf 19 9f 7d 84 05 61 f9 cc cd 2b 1f 49 3d 22 08 2f ce e7 b6 eb 0e 06 ae 2a f8 6f 26 6b 26 a8 8b e0 63 87 8f 11 66 c7 88 76 1d 33 37 af 5a b7 f1 51 41 68 bf 9d d9 86 4a 84 63 23 da cd 15 26 8e 89 63 e2 98 38 26 8e 89 63 e2 98 38 26 8e 89 63 e2 98 38 26 8e ff d7 83 54 a8 12 c9 de b3 15 2e 17 a4 ee ca 58 b1 54 10 3f a6 1c c0 14 6d 71 27 a9 53 c5 ae 49 33 e0 ba f7 56 76 2d e1 f5 34 76 3d 0d ae 17 56 93 be 9a ec 50 a1 96 6b bc d8 32 cf bf e5 af 41 62 30 93 2d 68 69 a5 29 7e a0 fd 2e ed 44 f3 a6 a1 4c d6 df 9c f8 32 fb 91 58 74 32 d0 be e6 3a bd 30 95 03 f3 4b 87 ea df 83 1e a1 6d 3d 38 84 40 c3 e7 90 44 67 7a 62 81 86 7e 81 5d 34 7e 0e a9 f6 c1 d8 01 9f dc 3b a9 e5 3b 02 79 32 44 de ce f6 c8 81 f6 e3 44 fa 51 6c 87 4f ce fe 42 24 a7 b2 9f 8a 81 f6 13 24 4a 9f 04 da f5 90 76 94 df c0 6b ed 28 6f 13 e4 cf c8 42 41 3b aa 89 da eb 44 f7 93 a4 a4 1d 37 e3 61 12 87 7b ad cf 8c 47 4c 5d 35 93 c5 e4 68 b6 27 48 a4 16 5b c5 3b d9 4f 41 f0 09 8d 29 c5 db 7c 8d c5 54 91 ad 40 67 7a 51 83 82 e2 4b 48 3c a8 bd 6e c6 67 69 6f 9b 7a d4 8c 97 65 fe db 9f e9 08 6f bb 5e 07 86 05 b6 ff 65 2e 97 eb 99 0c 86 fe bc 1c ee 49 52 41 ed c3 6c b4 35 16 db 1a 15 ed 2d 7e 83 ba de e2 6d 82 fc 19 91 b5 b7 b4 87 af 51 1b 71 04 41 6a 20 18 6a ea 21 a2 83 cd 24 2e bb 06 db fa d0 f0 71 54 16 3b 2a c9 6d b6 d2 ec 05 50 b9 9f 3e 4b 06 41 e7 51 92 2c 46 ad 21 6e 77 18 b4 ea 51 a2 ab 78 3f 8b c4 23 4c 6b 8c aa 34 f5 32 aa b5 7c 3c ad e5 ae 56 bd 64 14
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 20 Apr 2024 10:29:13 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fipsLast-Modified: Mon, 24 Jan 2022 05:27:26 GMTETag: "25702-5d64d39512b80"Accept-Ranges: bytesContent-Length: 153346Content-Type: application/zipData Raw: 50 4b 03 04 14 00 02 00 08 00 cb 8d dc 4a 70 d1 2e 86 8a 56 02 00 c8 cc 04 00 0b 00 00 00 4b 54 50 53 6f 63 6b 2e 64 6c 6c ec fd 7f 7c 53 d5 f9 00 8e df 34 b7 ed a5 0d 24 40 0a 55 2b 14 8c 5a 6d d5 6a aa b6 a6 68 81 fe 52 a1 24 2d 4d 60 d0 16 37 64 59 c6 b4 c2 0d e0 6c 0b 2c 8d 72 39 44 d9 a6 9b 6e ea 74 ba cd bd df 4e 71 d3 51 45 a1 a5 d8 80 a0 20 2a a2 38 c5 e9 e6 e9 82 5a 14 a1 08 72 3f cf f3 9c 9b 1f 2d b8 ed f3 7d bf 3e ff 7d d1 dc de 1f e7 f7 79 ce 73 9e df 67 e6 77 d6 4b 66 49 92 64 f8 e9 ba 24 75 49 e2 5f 85 f4 5f fc 33 49 d2 a8 89 2f 8c 92 9e 1d f1 ea a4 2e d3 8c 57 27 cd f6 ff 60 69 7e eb 92 5b bf bf e4 a6 1f e5 7f ef a6 5b 6e b9 55 cd ff ee cd f9 4b 82 b7 e4 ff e0 96 fc ca 59 0d f9 3f ba 75 e1 cd 97 8e 1c 99 e5 30 8a a8 7b 36 fb b6 ac b7 6e 9e 1c ff 5d 32 56 99 6c 86 bf 1b 7f f5 e5 64 05 fe 9a ff 34 30 79 3c fd fd e7 e4 3f d0 df 0f 27 df 09 7f ed 77 7d 38 79 04 a5 9f 30 79 2c e5 5d 38 79 ca db f8 fd f3 c9 e3 28 dd b1 c9 d9 94 ee 30 fd 35 ff e9 08 fd ad ff c1 f7 fc 58 4f bc 0b ee 2a 49 9a 61 4a 97 fe b6 b8 61 6e fc dd 41 29 6d 52 b6 69 84 24 15 c1 c8 fc c4 44 ef fe d9 05 7f 6d 38 30 38 5a 70 87 f7 69 92 94 6e e4 89 ff 95 6c e9 34 98 da e7 32 7c ae 10 99 6c 22 8b f8 6b 14 c3 cd 52 16 7c 95 77 9b a5 f7 a8 21 b2 b4 cd 99 32 b6 7f 96 a5 ed 67 c3 df f5 b2 34 50 2c 49 ab aa cc 52 de bf 99 8a fc 7b cc 43 e7 0c da f9 1e b4 a3 ed 35 f3 19 e7 f2 52 f5 e6 15 2a fc 6d bc d8 2c 1a 84 7d 95 87 95 29 49 0b 2e 5d b2 f0 26 f5 26 49 ba e1 8f 46 df ff 07 fe 16 9b 87 a4 83 f2 2b 2e 15 c9 a4 dc 16 b8 0c c0 77 9c e0 77 4f 4b d7 7d e9 92 a5 4b be 07 f7 d4 57 e8 b3 54 02 7f 4f 9d a1 bc 25 37 2f be 15 12 6e 5d 29 c6 40 5a 05 7f af 90 87 a7 9b 26 fd ff ff fd 9f fe 75 cd bf c3 6c eb dd 95 f8 e7 65 87 a3 19 db da cc 36 3e 7a bb 24 1d ad 74 28 26 75 84 97 9f ff 82 24 85 b6 c9 ac af 79 ab 2c ed 4a f9 d7 c8 0e 85 3e 1e 0c e8 fe 9f 5e 69 b6 2d 7c 94 20 79 f5 21 3f 4c d4 a3 ea 09 b3 cd b9 4d eb 74 2c 80 a7 06 af cf 78 e1 8e 74 3a 56 c0 9b 85 8f 61 62 6d 86 23 97 ff 71 ab 24 39 0f 34 f0 cb 5f 91 a4 70 77 70 74 40 6f 08 dc cc d7 bc 06 6f bb fb 1f 87 55 12 69 73 e4 f1 d5 30 d9 da 83 8e 55 90 b7 6c 8e d2 91 ce 2a e4 58 9a b3 db 1d c1 22 d4 b1 92 d4 d7 49 1f d3 58 a5 23 3f 5a e9 c8 b3 af 36 db 5c bd ea 08 37 9f f8 84 09 9b 1f b0 f8 17 42 77 21 43 9e 36 df 51 00 bf 22 f8 15 43 5a c7 91 9f 40 97 3f cf 96 24 a6 3a ec fe 02 c8 e9 75 76 f3 a7 02 d8 6d 05 da 74 89 eb 4b 6b e7 7d d0 e0 d2 09 d6 ce 08 fc 8d 54 3a ca dd 5e fe af 8d 58 b2 12 1a d4 d5 1f 1f ab 74 4c 43 a0 0c b6 42 7b 8b f8 eb 53 13 4d 32 a7 36 b8 c1 8f 2b 6e 33 e2 15 af 5f 85 f6 b8 9f 97 a6 c8 36 ed 5c b9 5c b6 71 57 d5 90 8e 60 e3 8a 92 1d f1 fe 81 3a c2 a0 cb da 95 c5 90 5e 7b a6 1b ca 61 b3 1d b9 65 bf c2 3b b5 d6 af 9b a9 75 b7 35 b8 d7 cc 77 ac e0 67
Source: global traffic HTTP traffic detected: GET /NewDown/VersionInfo.Ini HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/DelZip190.dll HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/Ziped/krenmain.exe.zip HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/Ziped/krenmain.exe.zip HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/UnZiped/krenmain.exe HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/Ziped/Config/coldef.ini.zip HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/UnZiped/Config/coldef.ini HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/Ziped/Config/coldef2.ini.zip HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/UnZiped/Config/coldef2.ini HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/Ziped/Config/coldef3.ini.zip HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/UnZiped/Config/coldef3.ini HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/Ziped/openfaxCLIB.dll.zip HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/UnZiped/openfaxCLIB.dll HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/Ziped/KTPSock.dll.zip HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /NewDown/UnZiped/KTPSock.dll HTTP/1.1Host: file.kren.co.krAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: unknown DNS traffic detected: queries for: file.kren.co.kr
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, krenmain.exe.0.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, krenmain.exe.0.dr String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, krenmain.exe.0.dr String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, krenmain.exe.0.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000003.3345403271.000000000068C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3358143048.0000000002260000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000003.3327637685.0000000004700000.00000004.00001000.00020000.00000000.sdmp, openfaxCLIB.dll0.0.dr, openfaxCLIB.dll.0.dr String found in binary or memory: http://crl.thawte.com/ThawteCodeSigningCA.crl0
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000003.3345403271.000000000068C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3358143048.0000000002260000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000003.3327637685.0000000004700000.00000004.00001000.00020000.00000000.sdmp, openfaxCLIB.dll0.0.dr, openfaxCLIB.dll.0.dr String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3357250141.000000000065B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3358143048.0000000002260000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000003.3327637685.0000000004700000.00000004.00001000.00020000.00000000.sdmp, openfaxCLIB.dll0.0.dr, openfaxCLIB.dll.0.dr String found in binary or memory: http://dev.fone.olleh.com
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe String found in binary or memory: http://file.kren.co.kr/NewDown/DelZip190.dll
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3355042514.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://file.kren.co.kr/NewDown/DelZip190.dllU
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3355042514.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://file.kren.co.kr/NewDown/UnZiped/
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3355042514.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://file.kren.co.kr/NewDown/UnZiped/Config/
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3358008401.00000000009C8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://file.kren.co.kr/NewDown/UnZiped/Config/coldef3.ini)
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3358143048.00000000022C9000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://file.kren.co.kr/NewDown/UnZiped/openfaxCLIB.dllni_?_???_???_????.
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3355042514.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://file.kren.co.kr/NewDown/VersionInfo.Ini
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3355042514.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://file.kren.co.kr/NewDown/Ziped/
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3355042514.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://file.kren.co.kr/NewDown/Ziped/Config/
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3358143048.0000000002308000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://file.kren.co.kr/NewDown/Ziped/KTPSock.dll.zipl
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3358143048.0000000002301000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://file.kren.co.kr/NewDown/Ziped/openfaxCLIB.dll.zipp
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, krenmain.exe.0.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, krenmain.exe.0.dr String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, krenmain.exe.0.dr String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000003.3345403271.000000000068C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3358143048.0000000002260000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000003.3327637685.0000000004700000.00000004.00001000.00020000.00000000.sdmp, openfaxCLIB.dll0.0.dr, openfaxCLIB.dll.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, krenmain.exe.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, krenmain.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, krenmain.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, krenmain.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3358143048.0000000002301000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3355042514.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.indyproject.org/
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, krenmain.exe.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00475B94 OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire, 0_2_00475B94
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00475B94 OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire, 0_2_00475B94
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_0045BDC8 GetClipboardData,CopyEnhMetaFileW,GetEnhMetaFileHeader, 0_2_0045BDC8
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_004912A0 GetKeyboardState,KiUserCallbackDispatcher, 0_2_004912A0
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_004080F0 0_2_004080F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_004590F0 0_2_004590F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_0049A4F8 0_2_0049A4F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_004805E8 0_2_004805E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_0040366C 0_2_0040366C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: String function: 0040BD30 appears 62 times
PE file contains executable resources (Code or Archives)
Source: krenmain.exe.0.dr Static PE information: Resource name: RT_RCDATA type: COM executable for DOS
Source: krenmain.exe.0.dr Static PE information: Resource name: RT_RCDATA type: CLIPPER COFF executable C2 R1 not stripped - version 26821
Source: krenmain.exe.0.dr Static PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: krenmain.exe.0.dr Static PE information: Resource name: RT_RCDATA type: unicos (cray) executable
Source: krenmain.exe0.0.dr Static PE information: Resource name: RT_RCDATA type: COM executable for DOS
Source: krenmain.exe0.0.dr Static PE information: Resource name: RT_RCDATA type: CLIPPER COFF executable C2 R1 not stripped - version 26821
Source: krenmain.exe0.0.dr Static PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: krenmain.exe0.0.dr Static PE information: Resource name: RT_RCDATA type: unicos (cray) executable
Uses 32bit PE files
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Static PE information: Section: UPX1 ZLIB complexity 0.9892989757449128
Source: classification engine Classification label: mal56.winEXE@1/19@1/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_004582F4 GetLastError,FormatMessageW, 0_2_004582F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_004150AC GetDiskFreeSpaceW, 0_2_004150AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_0043ABD8 FindResourceW,LoadResource,SizeofResource,LockResource, 0_2_0043ABD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe File created: C:\Users\user\Desktop\Update\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe File read: C:\Users\user\Desktop\ServerVersionInfo.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe ReversingLabs: Detection: 13%
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Virustotal: Detection: 7%
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe String found in binary or memory: NATS-SEFI-ADD
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe String found in binary or memory: NATS-DANO-ADD
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe String found in binary or memory: jp-ocr-b-add
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe String found in binary or memory: jp-ocr-hand-add
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe String found in binary or memory: ISO_6937-2-add
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: delzip190.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: delzip190.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: delzip190.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: delzip190.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Section loaded: delzip190.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe File written: C:\Users\user\Desktop\ServerVersionInfo.ini Jump to behavior
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Static PE information: certificate valid
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_0044A134 push 0044A1CAh; ret 0_2_0044A1C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_004812CC push 00481337h; ret 0_2_0048132F
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_0042A29C push 0042A2E9h; ret 0_2_0042A2E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_0043F2AC push ecx; mov dword ptr [esp], edx 0_2_0043F2AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_0044C438 push 0044C485h; ret 0_2_0044C47D
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_0044F4D0 push 0044F528h; ret 0_2_0044F520
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_0040A6E8 push 0040A757h; ret 0_2_0040A74F
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00413750 push ecx; mov dword ptr [esp], ecx 0_2_00413755
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00462780 push 004627E0h; ret 0_2_004627D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_0043A968 push ecx; mov dword ptr [esp], edx 0_2_0043A96A
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_0047FA64 push 0047FB64h; ret 0_2_0047FB5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00448A6C push 00448AA4h; ret 0_2_00448A9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00428A68 push 00428ADEh; ret 0_2_00428AD6
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00443AFC push 00443BC9h; ret 0_2_00443BC1
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_004ABB94 push ecx; mov dword ptr [esp], edx 0_2_004ABB98
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00471C74 push 00471CEFh; ret 0_2_00471CE7
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00434CF8 push ecx; mov dword ptr [esp], edx 0_2_00434CFD
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_0041FE60 push 00420005h; ret 0_2_0041FFFD
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00434E7C push ecx; mov dword ptr [esp], edx 0_2_00434E81
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00434E38 push ecx; mov dword ptr [esp], edx 0_2_00434E3D
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_004ABEE8 push ecx; mov dword ptr [esp], edx 0_2_004ABEEC
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00476F54 push 00476FAEh; ret 0_2_00476FA6
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00460F7C push 00461056h; ret 0_2_0046104E
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00440F24 push ecx; mov dword ptr [esp], ecx 0_2_00440F27
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00490FE0 push ecx; mov dword ptr [esp], ecx 0_2_00490FE4
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe File created: C:\Users\user\Desktop\openfaxCLIB.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe File created: C:\Users\user\Desktop\DelZip190.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe File created: C:\Users\user\Desktop\Update\openfaxCLIB.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe File created: C:\Users\user\Desktop\krenmain.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe File created: C:\Users\user\Desktop\Update\krenmain.exe Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00498410 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 0_2_00498410
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00497A84 IsIconic,GetCapture, 0_2_00497A84
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00448D24 MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00448D24
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00498F88 IsIconic,GetWindowPlacement,GetWindowRect,ScreenToClient,ScreenToClient, 0_2_00498F88
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Dropped PE file which has not been started: C:\Users\user\Desktop\openfaxCLIB.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Dropped PE file which has not been started: C:\Users\user\Desktop\Update\openfaxCLIB.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Dropped PE file which has not been started: C:\Users\user\Desktop\krenmain.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Dropped PE file which has not been started: C:\Users\user\Desktop\Update\krenmain.exe Jump to dropped file
Queries keyboard layouts
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00409714 FindFirstFileW,FindClose, 0_2_00409714
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_004091AC GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 0_2_004091AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_004142B4 FindFirstFileW,FindClose, 0_2_004142B4
Source: SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe, 00000000.00000002.3357250141.000000000065B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_004420A8 IsDebuggerPresent,RaiseException, 0_2_004420A8
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 0_2_004097FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: GetLocaleInfoW, 0_2_00419070
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: GetLocaleInfoW, 0_2_00419024
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00408D44
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Queries volume information: C:\Users\user\Desktop\Update\krenmain.exe.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Queries volume information: C:\Users\user\Desktop\Update\krenmain.exe.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Queries volume information: C:\Users\user\Desktop\Update\coldef.ini.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Queries volume information: C:\Users\user\Desktop\Update\coldef.ini.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Queries volume information: C:\Users\user\Desktop\Update\coldef2.ini.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Queries volume information: C:\Users\user\Desktop\Update\coldef2.ini.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Queries volume information: C:\Users\user\Desktop\Update\coldef3.ini.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Queries volume information: C:\Users\user\Desktop\Update\coldef3.ini.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Queries volume information: C:\Users\user\Desktop\Update\openfaxCLIB.dll.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Queries volume information: C:\Users\user\Desktop\Update\openfaxCLIB.dll.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_00417468 GetLocalTime, 0_2_00417468
Source: C:\Users\user\Desktop\SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe Code function: 0_2_0047A884 GetVersion,InsertMenuItemW,InsertMenuW,InsertMenuW, 0_2_0047A884
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429052 Sample: SecuriteInfo.com.TScope.Tro... Startdate: 20/04/2024 Architecture: WINDOWS Score: 56 18 file.kren.co.kr 2->18 22 Snort IDS alert for network traffic 2->22 24 Multi AV Scanner detection for submitted file 2->24 6 SecuriteInfo.com.TScope.Trojan.Delf.21240.32647.exe 21 2->6         started        signatures3 process4 dnsIp5 20 file.kren.co.kr 210.181.31.83, 49714, 80 KSNET-ASKSNETIncKR Korea Republic of 6->20 10 C:\Users\user\Desktop\openfaxCLIB.dll, PE32 6->10 dropped 12 C:\Users\user\Desktop\krenmain.exe, PE32 6->12 dropped 14 C:\Users\user\Desktop\...\openfaxCLIB.dll, PE32 6->14 dropped 16 2 other files (none is malicious) 6->16 dropped file6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
210.181.31.83
 file.kren.co.kr Korea Republic of
10173 KSNET-ASKSNETIncKR true

Contacted Domains

Name IP Active
file.kren.co.kr 210.181.31.83 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://file.kren.co.kr/NewDown/Ziped/Config/coldef.ini.zip true unknown
http://file.kren.co.kr/NewDown/Ziped/Config/coldef3.ini.zip true unknown
http://file.kren.co.kr/NewDown/Ziped/KTPSock.dll.zip true unknown
http://file.kren.co.kr/NewDown/UnZiped/Config/coldef.ini true unknown
http://file.kren.co.kr/NewDown/Ziped/openfaxCLIB.dll.zip true unknown
http://file.kren.co.kr/NewDown/UnZiped/Config/coldef3.ini true unknown
http://file.kren.co.kr/NewDown/UnZiped/krenmain.exe true unknown
http://file.kren.co.kr/NewDown/UnZiped/Config/coldef2.ini true unknown
http://file.kren.co.kr/NewDown/UnZiped/KTPSock.dll true unknown
http://file.kren.co.kr/NewDown/Ziped/krenmain.exe.zip true unknown
http://file.kren.co.kr/NewDown/Ziped/Config/coldef2.ini.zip true unknown
http://file.kren.co.kr/NewDown/DelZip190.dll true unknown
http://file.kren.co.kr/NewDown/VersionInfo.Ini true unknown
http://file.kren.co.kr/NewDown/UnZiped/openfaxCLIB.dll true unknown