Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe
Analysis ID:	1621792
MD5:	515748a93ce7beb3f4416ec66ba8488e
SHA1:	3ba2f1a56dcc91967361622c56b1ba545cda4325
SHA256:	a09d49280077ed84d72c5b39977a67155f7bf1bc12615fecb6ec81a0aa2f92a6
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

Score:	68
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

Joe Sandbox ML detected suspicious sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe (PID: 6508 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe" MD5: 515748A93CE7BEB3F4416EC66BA8488E)

WerFault.exe (PID: 7016 cmdline: C:\Windows\system32\WerFault.exe -u -p 6508 -s 1764 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2782017137.00000209A34B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2773203885.0000020989280000.00000040.00000020.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2773893797.000002098ACE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe PID: 6508	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe.209a34b0000.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe.209890b131e.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe.2098928131e.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe.209890b131e.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe.2098928131e.1.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe.209a34b0000.2.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Virustotal: Detection: 47%			Perma Link
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	ReversingLabs: Detection: 47%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.8% probability

Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: costura.vse.web.serialization.pdb.compressed source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Data.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: costura.costura.pdb.compressed source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098ACE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sed\|\|\|Vse.Web.Serialization.pdb\|373624B9738CE0428A7ADDE8D3C3F9321A254999\|15872 source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe
Source:	Binary string: System.Runtime.Serialization.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Security.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: Version=8.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51\|System.Drawing.Common.dll\|C90A484298ED989620EAB3DCB32A0F7529C89D66\|49824 costura.system.drawing.common.pdb.compressed\|\|\|System.Drawing.Common.pdb\|40DAF0905A94A5B0F8727EAB465D93E32ADA6DCF\|11656 source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe
Source:	Binary string: costura.costura.dll.compressed\|5.7.0.0\|Costura, Version=5.7.0.0, Culture=neutral, PublicKeyToken=null\|Costura.dll\|F1F25C01F6ACF33BDD62C4F82D3EF078E76F0906\|4608 costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 costura source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe
Source:	Binary string: C:\Users\PC\Desktop\Client\Client\obj\Release\Client.pdb source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Client.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Numerics.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDSw source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Dynamic.pdbH source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Dynamic.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: 32 costura.vse.web.serialization.dll.compressed\|1.0.4.0\|Vse.Web.Serialization, Version=1.0.4.0, Culture=neutral, PublicKeyToken=fb838febb49f46b2\|Vse.Web.Serialization.dll\|A3825ABB85C2BEAE8B7D5B6477ECE36E1062922E\|10240 costura.vse.web.serialization.pdb.compre source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: ,costura.system.drawing.common.pdb.compressed source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098ACE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.vse.web.serialization.pdb.compressed\|\|\|Vse.Web.Serialization.pdb\|373624B9738CE0428A7ADDE8D3C3F9321A254999\|15872 source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp, WER9E83.tmp.dmp.6.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: costura.system.drawing.common.pdb.compressed source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Net.Http.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: system.memoryIcostura.system.memory.dll.compressed/system.numerics.vectors]costura.system.numerics.vectors.dll.compressedMsystem.runtime.compilerservices.unsafe{costura.system.runtime.compilerservices.unsafe.dll.compressed3system.text.encodings.webacostura.system.text.encodings.web.dll.compressed!system.text.jsonOcostura.system.text.json.dll.compressedCsystem.threading.tasks.extensionsqcostura.system.threading.tasks.extensions.dll.compressed#system.valuetupleQcostura.system.valuetuple.dll.compressed+vse.web.serializationYcostura.vse.web.serialization.dll.compressedYcostura.vse.web.serialization.pdb.compressed\| source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Data.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: costura.system.drawing.common.pdb.compressed\|\|\|System.Drawing.Common.pdb\|40DAF0905A94A5B0F8727EAB465D93E32ADA6DCF\|11656 source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Data.pdbH source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: system.buffersKcostura.system.buffers.dll.compressedGsystem.diagnostics.diagnosticsourceucostura.system.diagnostics.diagnosticsource.dll.compressed+system.drawing.commonYcostura.system.drawing.common.dll.compressedYcostura.system.drawing.common.pdb.compressed source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Client.pdbH source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Net.Http.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Management.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Management.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Data.ni.pdbRSDS source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Runtime.Serialization.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: ,costura.vse.web.serialization.pdb.compressed source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098ACE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9E83.tmp.dmp.6.dr

Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST //end-point-c-sharp/ HTTP/1.1Content-Encoding: gzipHost: 109.120.178.136Content-Length: 13209Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Source: unknown

DNS query: name: ipinfo.io

Source: unknown	TCP traffic detected without corresponding DNS query: 109.120.178.136
Source: unknown	TCP traffic detected without corresponding DNS query: 109.120.178.136
Source: unknown	TCP traffic detected without corresponding DNS query: 109.120.178.136
Source: unknown	TCP traffic detected without corresponding DNS query: 109.120.178.136
Source: unknown	TCP traffic detected without corresponding DNS query: 109.120.178.136
Source: unknown	TCP traffic detected without corresponding DNS query: 109.120.178.136
Source: unknown	TCP traffic detected without corresponding DNS query: 109.120.178.136
Source: unknown	TCP traffic detected without corresponding DNS query: 109.120.178.136
Source: unknown	TCP traffic detected without corresponding DNS query: 109.120.178.136
Source: unknown	TCP traffic detected without corresponding DNS query: 109.120.178.136
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ipinfo.io

Source: unknown

HTTP traffic detected: POST //end-point-c-sharp/ HTTP/1.1Content-Encoding: gzipHost: 109.120.178.136Content-Length: 13209Expect: 100-continueConnection: Keep-Alive

Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098AFB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://109.120.178.136
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098ACE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://109.120.178.136/
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098AFB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://109.120.178.136//end-point-c-sharp/
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098ACE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098ACE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io/json
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098ACE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-supportassertion
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098AD2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/missingauth
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Code function: 0_2_000002098935D219	0_2_000002098935D219
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Code function: 0_2_000002098935E426	0_2_000002098935E426
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Code function: 0_2_00007FFE16639C18	0_2_00007FFE16639C18

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6508 -s 1764

Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Static PE information: Number of sections : 23 > 10

Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe6 vs SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe6 vs SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Source: classification engine

Classification label: mal68.spyw.evad.winEXE@2/5@1/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6508
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Mutant created: \Sessions\1\BaseNamedObjects\TestyBath

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\53409469-9758-4c1d-a9b3-98e1d8fcb1d8

Jump to behavior

Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098ADB5000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Virustotal: Detection: 47%
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6508 -s 1764

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Static file information: File size 5375876 > 1048576

Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11a800
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x107a00

Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: costura.vse.web.serialization.pdb.compressed source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Data.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: costura.costura.pdb.compressed source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098ACE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sed\|\|\|Vse.Web.Serialization.pdb\|373624B9738CE0428A7ADDE8D3C3F9321A254999\|15872 source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe
Source:	Binary string: System.Runtime.Serialization.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Security.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: Version=8.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51\|System.Drawing.Common.dll\|C90A484298ED989620EAB3DCB32A0F7529C89D66\|49824 costura.system.drawing.common.pdb.compressed\|\|\|System.Drawing.Common.pdb\|40DAF0905A94A5B0F8727EAB465D93E32ADA6DCF\|11656 source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe
Source:	Binary string: costura.costura.dll.compressed\|5.7.0.0\|Costura, Version=5.7.0.0, Culture=neutral, PublicKeyToken=null\|Costura.dll\|F1F25C01F6ACF33BDD62C4F82D3EF078E76F0906\|4608 costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 costura source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe
Source:	Binary string: C:\Users\PC\Desktop\Client\Client\obj\Release\Client.pdb source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Client.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Numerics.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDSw source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Dynamic.pdbH source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Dynamic.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: 32 costura.vse.web.serialization.dll.compressed\|1.0.4.0\|Vse.Web.Serialization, Version=1.0.4.0, Culture=neutral, PublicKeyToken=fb838febb49f46b2\|Vse.Web.Serialization.dll\|A3825ABB85C2BEAE8B7D5B6477ECE36E1062922E\|10240 costura.vse.web.serialization.pdb.compre source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: ,costura.system.drawing.common.pdb.compressed source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098ACE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.vse.web.serialization.pdb.compressed\|\|\|Vse.Web.Serialization.pdb\|373624B9738CE0428A7ADDE8D3C3F9321A254999\|15872 source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp, WER9E83.tmp.dmp.6.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: costura.system.drawing.common.pdb.compressed source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Net.Http.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: system.memoryIcostura.system.memory.dll.compressed/system.numerics.vectors]costura.system.numerics.vectors.dll.compressedMsystem.runtime.compilerservices.unsafe{costura.system.runtime.compilerservices.unsafe.dll.compressed3system.text.encodings.webacostura.system.text.encodings.web.dll.compressed!system.text.jsonOcostura.system.text.json.dll.compressedCsystem.threading.tasks.extensionsqcostura.system.threading.tasks.extensions.dll.compressed#system.valuetupleQcostura.system.valuetuple.dll.compressed+vse.web.serializationYcostura.vse.web.serialization.dll.compressedYcostura.vse.web.serialization.pdb.compressed\| source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Data.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: costura.system.drawing.common.pdb.compressed\|\|\|System.Drawing.Common.pdb\|40DAF0905A94A5B0F8727EAB465D93E32ADA6DCF\|11656 source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Data.pdbH source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: system.buffersKcostura.system.buffers.dll.compressedGsystem.diagnostics.diagnosticsourceucostura.system.diagnostics.diagnosticsource.dll.compressed+system.drawing.commonYcostura.system.drawing.common.dll.compressedYcostura.system.drawing.common.pdb.compressed source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Client.pdbH source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Net.Http.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Management.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Management.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Data.ni.pdbRSDS source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Runtime.Serialization.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: ,costura.vse.web.serialization.pdb.compressed source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098ACE1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WER9E83.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER9E83.tmp.dmp.6.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe.209890b131e.0.raw.unpack, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe.2098928131e.1.raw.unpack, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe.209a34b0000.2.raw.unpack, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe.209a34b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe.209890b131e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe.2098928131e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe.209890b131e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe.2098928131e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe.209a34b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2782017137.00000209A34B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2773203885.0000020989280000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2773893797.000002098ACE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe PID: 6508, type: MEMORYSTR

Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Static PE information: section name: .xdata
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Static PE information: section name: /4
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Static PE information: section name: /19
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Static PE information: section name: /35
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Static PE information: section name: /47
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Static PE information: section name: /61
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Static PE information: section name: /73
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Static PE information: section name: /86
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Static PE information: section name: /97
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Static PE information: section name: /113
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Static PE information: section name: /127
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Static PE information: section name: /143
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Static PE information: section name: /159

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772675973.0000020988FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXEK
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772675973.0000020988FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Memory allocated: 20988F90000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Memory allocated: 209A2CE0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Window / User API: threadDelayed 5976			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Window / User API: threadDelayed 2145			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6760	Thread sleep count: 5976 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6760	Thread sleep count: 2145 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -99657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -99184s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -98969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -98721s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -98594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -98445s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -98344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -97985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -99671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -99452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -99124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe TID: 6740	Thread sleep time: -99015s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 99184	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 98721	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 98594	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 98445	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 99452	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 99124	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Thread delayed: delay time: 99015	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Binary or memory string: Hyper-V
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-VGselect * from Win32_VideoController
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782218810.00000209A3600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 6e d0 59 6b 97 52-b4 9a 7f 42 1f 0e 66 9c
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772675973.0000020988FB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	47%	Virustotal		Browse
SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	47%	ReversingLabs	Win64.Trojan.Amadey

Source	Detection	Scanner	Label
http://109.120.178.136/	0%	Avira URL Cloud	safe
http://109.120.178.136	0%	Avira URL Cloud	safe
http://109.120.178.136//end-point-c-sharp/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.59.81	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ipinfo.io/json	false		high
http://109.120.178.136//end-point-c-sharp/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/missingauth	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098AD2D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://109.120.178.136	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098AFB7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ipinfo.io	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098ACE1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/jsonschema	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	false		high
https://docs.rs/getrandom#nodejs-es-module-support	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	false		high
https://www.newtonsoft.com/json	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://www.nuget.org/packages/Newtonsoft.Json.Bson	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098ACE1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://109.120.178.136/	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099ADAF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2772977659.00000209890B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2773893797.000002098ACE1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://james.newtonking.com/projects/json	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	false		high
https://docs.rs/getrandom#nodejs-es-module-supportassertion	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	false		high
https://github.com/JamesNK/Newtonsoft.Json	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2779376121.000002099AE58000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe, 00000000.00000002.2782669226.00000209A3800000.00000004.08000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.117.59.81	ipinfo.io	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
109.120.178.136	unknown	Russian Federation		30968	INFOBOX-ASInfoboxruAutonomousSystemRU	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1621792
Start date and time:	2025-02-22 14:15:40 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe
Detection:	MAL
Classification:	mal68.spyw.evad.winEXE@2/5@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 172.202.163.200, 20.190.159.4, 13.107.246.60
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:16:59	API Interceptor	29x Sleep call for process: SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe modified
08:17:25	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.59.81	QkRFz2sau5.exe	Get hash	malicious	Amadey, AsyncRAT, LiteHTTP Bot, LummaC Stealer, PureLog Stealer	Browse	ipinfo.io/ip
	0t8amSU3vd.exe	Get hash	malicious	CryptoWall, TrojanRansom	Browse	ipinfo.io/ip
	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	ipinfo.io/json
	Code%20Send%20meta%20Discord%20EXE.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	idl57nk7gk.exe	Get hash	malicious	Neshta	Browse	ipinfo.io/json
	idl57nk7gk.exe	Get hash	malicious	Neshta	Browse	ipinfo.io/json
	FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmd	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	172.104.150.66.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	VertusinstruccionesFedEX_66521.zip	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	UjbjOP.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
109.120.178.136	PjzDuCbFg6.exe	Get hash	malicious	Amadey, DarkTortilla, LummaC Stealer, Poverty Stealer, Vidar, XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	8CBryjfYLc.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	g.png.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	34.117.59.81
	k.png.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	34.117.59.81
	f.png.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	34.117.59.81
	https://pub-24e45b15ec064841815b58913a9a218d.r2.dev/ntxk.html	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	https://verification-center-1000252091.dablio.org/	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	SecuriteInfo.com.FileRepMalware.27818.21336.msi	Get hash	malicious	Unknown	Browse	34.117.59.81
	https://verification-center-1000262201.ceciliadiamonds.com/	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	http://case-id-1000292829268661.mashstaffing.com/	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://case-id-1000292829266398.mashstaffing.com/	Get hash	malicious	Unknown	Browse	34.117.59.81

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INFOBOX-ASInfoboxruAutonomousSystemRU	PjzDuCbFg6.exe	Get hash	malicious	Amadey, DarkTortilla, LummaC Stealer, Poverty Stealer, Vidar, XWorm	Browse	109.120.178.136
	saleforce_offline_installer.exe	Get hash	malicious	RedLine	Browse	109.120.186.139
	saleforce_offline_installer.exe	Get hash	malicious	RedLine	Browse	109.120.186.139
	http://springfieldunitedway.org/volunteer/#.YAieBuhKguU	Get hash	malicious	Unknown	Browse	92.243.74.2
	http://hotpepperliberia.com	Get hash	malicious	Unknown	Browse	92.243.74.2
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	92.243.71.14
	nshmpsl.elf	Get hash	malicious	Mirai	Browse	92.243.71.44
	Configurator.exe	Get hash	malicious	Unknown	Browse	109.120.179.109
	Configurator.exe	Get hash	malicious	Unknown	Browse	109.120.179.109
	Configurator.exe	Get hash	malicious	Unknown	Browse	109.120.179.109
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	Payment_Activity_0079_2025-2-21.vbs	Get hash	malicious	Unknown	Browse	34.117.239.71
	PjzDuCbFg6.exe	Get hash	malicious	Amadey, DarkTortilla, LummaC Stealer, Poverty Stealer, Vidar, XWorm	Browse	34.117.59.81
	8CBryjfYLc.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	g.png.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	34.117.59.81
	k.png.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	34.117.59.81
	f.png.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	34.117.59.81
	http://auth.stubli.com	Get hash	malicious	Unknown	Browse	34.117.239.71
	http://currentlyatt7432.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.117.77.79
	https://pub-24e45b15ec064841815b58913a9a218d.r2.dev/ntxk.html	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	https://verification-center-1000252091.dablio.org/	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_a555f0a0f37f99728ae634191c97c345ec5b52_e0395ca8_74604103-7a23-4823-9edf-88a70e5bd849\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2823173115186786
Encrypted:	false
SSDEEP:	384:QuF0BgwfFcfRHFZn/95jgaH1ezuiFaY4lO8cf:QvOpHFZnrj3ezuiFaY4lO8
MD5:	410DE1F374EA1183E4CDA8CF2B521A55
SHA1:	DB12B4AC1CE160B8415BF5D3338DDB19083098BC
SHA-256:	A909DC4DD5A9E83A7F4EBE1B503FE69A1E277D9CF354FE0617F08F6002C2CE72
SHA-512:	33E15119B32F9A1316E04406116C4691B77CE20FDAAAD929D1D13D0C8196536DE303A9F37870F21BAECD0458373CFAA68F6CEE616E1EEE424F55C39344C44289
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.4.7.0.3.8.3.9.4.7.5.9.9.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.4.7.0.3.8.4.0.6.6.3.4.9.5.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.6.0.4.1.0.3.-.7.a.2.3.-.4.8.2.3.-.9.e.d.f.-.8.8.a.7.0.e.5.b.d.8.4.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.1.4.0.0.1.e.d.-.4.1.1.4.-.4.3.c.7.-.9.6.2.6.-.1.2.4.f.5.c.6.c.d.7.2.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.6.4...E.v.o.-.g.e.n...2.6.8.3.9...2.9.0.4.0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.6.c.-.0.0.0.1.-.0.0.1.4.-.e.6.0.3.-.1.b.0.7.2.c.8.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.2.1.f.0.0.3.3.3.f.4.1.7.3.5.c.3.9.4.2.d.5.1.9.e.a.3.5.1.e.9.d.0.0.0.0.0.9.0.4.!.0.0.0.0.3.b.a.2.f.1.a.5.6.d.c.c.9.1.9.6.7.3.6.1.6.2.2.c.5.6.b.1.b.a.5.4.5.c.d.a.4.3.2.5.!.S.e.c.u.r.i.t.e.I.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E83.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 17 streams, Sat Feb 22 13:17:19 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	643153
Entropy (8bit):	3.0954681390363565
Encrypted:	false
SSDEEP:	6144:GXDHLMdq2dJKikzcgFQDUepdsHFngq4KqUnWPZJKSQdSm5Hyjqd8Z:uKUWxJL05yjH
MD5:	C31A4B3C10FFD63D8D1110748F6B1BCA
SHA1:	D53C54CD849A30D7075AFAEE6D0DBB36C2F2BF6E
SHA-256:	4C10C46C79466762CAD84B2C74FA9D6FB56A09AA6214F0C0F2676741F5DBDB76
SHA-512:	2404F61D93DE7E773F235D2BE32A1E322A4ECACF06D8E9D5DA6FC1D5F2ED2D91C3B58FDBBE7117DFB57B9E46526A710AF670FF15F14591B0365642C687E3D0F4
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ......._.g................ ........ ..........$...p+.......?...+......................x.......8...........T...$........D...............j...........l.......... m..............................................................................eJ......0m......Lw......................T.......l...@.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...............................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA27C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8946
Entropy (8bit):	3.7102219710802173
Encrypted:	false
SSDEEP:	192:R6l7wVeJSc6J26Y+871FgmfKGJPrEpD089bj5NfUS3Bm:R6lXJS/26Y171FgmfKGJPkjTfZM
MD5:	3704584882BDC472042418DB84C3FF87
SHA1:	5E36E367F1C2ADD102055867FA4B476A5B5EB568
SHA-256:	11E249B8F3908C2A431FCAC5E7E17FC5F06211C12CEE9029AA7E8696B86B8996
SHA-512:	F5707BB97E220CB58DAF8F7322E5999046ED0851584AB1FED251C6C9133148A6BB6D00F5F57E94B4D1AE0A86B83349C52D7700E81F5185BE13523CBA0ADBC824
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2AB.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4856
Entropy (8bit):	4.562448424361267
Encrypted:	false
SSDEEP:	48:cvIwWl8zssJg771I93sWpW8VYmYm8M4J5Q9pOKFSRRyq85dCCOUBTTS33IJI2d:uIjfqI74F7V6J2+zUNBTTSo22d
MD5:	B99A9FC6EC7E1417433958895D706082
SHA1:	A342A873056C0A4207FF7A2F359EF8F3CE7DA1D1
SHA-256:	0C61A7D9E117DFC6D41320E045072536C45DE16345EB33DB466CE429B900363F
SHA-512:	4DE76DA5CB4247983435724952E041F1963535DB8AF5BCAB797B5DB1040FDDA12CB22103107AF5216B7C6D978343BC37FD04C5D51EFFA97B13CF072070224DA1
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="731780" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.569138873956998
Encrypted:	false
SSDEEP:	6144:OoPefZnQMa3tfLibn90foomgsattlbSldrUHT7hSgkSNv0juQJYchUJvTGAlBsL6:rPcAooVJHnsg/d1TrqG
MD5:	E9513D34E4C7FBF5FA37865F810F66D3
SHA1:	ACB1D6C928F6D5C9919305DFA00F3C73627D5E46
SHA-256:	10D9C7D62A6447F74B74D7DE17D160A904FF48714AAB8ACE9E6C52A3350FA6F5
SHA-512:	2F4FE4CA83B2DD33BB4A4503435F48C5416FA0D5215E61C3C9D11E7BBFF6BD41D6603FED8CA51E1A7660D2D4B2F914C231DFA442A0029FDAB3A2521AAF3349DD
Malicious:	false
Reputation:	low
Preview:	regfJ...J....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....,...............................................................................................................................................................................................................................................................................................................................................tZ.-........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.793480491117554
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe
File size:	5'375'876 bytes
MD5:	515748a93ce7beb3f4416ec66ba8488e
SHA1:	3ba2f1a56dcc91967361622c56b1ba545cda4325
SHA256:	a09d49280077ed84d72c5b39977a67155f7bf1bc12615fecb6ec81a0aa2f92a6
SHA512:	3ce752a103a11b4ef84e6531f4feebcd70f5dfde979e3952709a686fb03e67741d894037406fc23fc5ea3b506d650653a01f3ef48fd7b5a44f79e45c8eb96ffb
SSDEEP:	98304:gJnnpXog0yHRQNcObZ5vq8HeLRoV994WE:g1pzQDz5eLQi
TLSH:	82468C2168A41FF0F1EB8D3D804E96A66632395CE31587F34461D3B26E52396BF0FB49
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...{[.I.dJ.......&....+......#................@..............................K.....m.R...`... ............................

File Icon


Icon Hash:	126d6c6c68b35228

Static PE Info

General

Entrypoint:	0x1400013c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x49A65B7B [Thu Feb 26 09:06:03 2009 UTC]
TLS Callbacks:	0x4010d810, 0x1, 0x4011a770, 0x1, 0x4011a750, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1ba8afe24824ed5b3f4384bd2e77a1ef

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00223455h]
mov dword ptr [eax], 00000001h
call 00007F7064D0EA7Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00223435h]
mov dword ptr [eax], 00000000h
call 00007F7064D0EA5Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
jmp 00007F7064E27EE0h
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F7064D0ECB9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
sub esp, 48h
dec eax
mov eax, dword ptr [ecx]
dec eax
mov eax, dword ptr [eax]
dec eax
mov dword ptr [esp+20h], eax
dec eax
mov eax, dword ptr [ecx]
dec eax
mov eax, dword ptr [eax+10h]
dec eax
mov dword ptr [esp+28h], eax
dec eax
mov eax, dword ptr [esp+28h]
dec eax
mov dword ptr [esp+40h], eax
dec eax
mov eax, dword ptr [esp+20h]
dec eax
mov ecx, dword ptr [esp+40h]
dec eax
mov dword ptr [esp+30h], ecx
dec eax
mov dword ptr [esp+38h], eax
dec eax
lea ecx, dword ptr [esp+30h]
call 00007F7064D0F492h
nop
dec eax
add esp, 48h
ret
nop dword ptr [eax+00000000h]
dec eax
sub esp, 48h
dec eax
mov eax, dword ptr [ecx]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x235000	0x14e0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x239000	0x6637	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x225000	0x68b8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x240000	0xc38	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x224440	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x235500	0x448	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11a7c8	0x11a800	dd256572e9201dbb1052bff1d0a89f45	False	0.3759195243362832	data	5.7388684529993075	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x11c000	0x4a0	0x600	e4cddeec1f1e313e772cbca6dcb9a44f	False	0.22591145833333334	data	2.5717623125102995	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x11d000	0x107940	0x107a00	22114319e2a7157b8054b40332244144	False	0.9222361753200569	data	7.9324854163320175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x225000	0x68b8	0x6a00	dd6c9657bf3e7a5086a509d4b4f44e5d	False	0.4920032429245283	data	5.856773681325954	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x22c000	0x7558	0x7600	279fc60d308f39d55661aa5f7d293f93	False	0.3102820444915254	data	4.670930025066137	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x234000	0x2c0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x235000	0x14e0	0x1600	cc34d635cd86dd1051754a5db348be53	False	0.28870738636363635	COM executable for DOS	4.199970417068128	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x237000	0x68	0x200	640d4d7407b0e852ba6ac48f20a30efa	False	0.07421875	data	0.39345918218226683	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x238000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x239000	0x6637	0x6800	87fe5169ddc42500220cc1712ced8b72	False	0.1316856971153846	data	3.712981736615356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x240000	0xc38	0xe00	a86da877090cd6a7fb4bcfab8bc66eda	False	0.5404575892857143	data	5.1485743144019445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/4	0x241000	0x590	0x600	9267807cb6c74c9513419ea9512b373b	False	0.2265625	data	2.017111238034384	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x242000	0x6b3a2	0x6b400	c83080123b5e7529b2dd9236218bb882	False	0.12237762237762238	data	5.081586422951318	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/35	0x2ae000	0xa22b7	0xa2400	b1b101bef2d043e6ddd31c5154179690	False	0.3645256524460709	data	5.4730117116817345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/47	0x351000	0x271c	0x2800	4afd5b6082cb12d369160169b6d846de	False	0.2486328125	data	4.937541942707146	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/61	0x354000	0x44014	0x44200	0a246ee798d7b3178cd3507a1dd417fb	False	0.34635894495412844	data	5.940025796878622	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/73	0x399000	0x810	0xa00	3260dc0d73bd9e9fb90eb779ce235220	False	0.283984375	data	3.5838176639592603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/86	0x39a000	0xdbb5a	0xdbc00	49984d26669dafa30d71029bf23ed18f	False	0.16801652268202502	data	5.36980965383531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/97	0x476000	0x7e	0x200	6e6d3a89ad743b725ebc0c24d401b2bd	False	0.1484375	data	0.8111901251976263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/113	0x477000	0x3e8d0	0x3ea00	959adac033e120195384137ebd503d8f	False	0.10761679765469062	data	2.604390067750409	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/127	0x4b6000	0x1608	0x1800	e6f8f9fcc212f4bc6c23d1a6331e3146	False	0.1220703125	data	4.816927292474317	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/143	0x4b8000	0x120f	0x1400	bcf49411d228131dc0f4387fcf0fc819	False	0.4509765625	data	4.827867353129423	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/159	0x4ba000	0x16e	0x200	982dcae8fa9ea9c820efe5debe160f13	False	0.505859375	data	3.8134925564570588	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2391d4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m			0.14716312056737588
RT_ICON	0x23963c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m			0.07856472795497185
RT_ICON	0x23a6e4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m			0.03861596598960793
RT_ICON	0x23e90c	0x58f	PNG image data, 256 x 256, 8-bit colormap, non-interlaced			0.9950808151791989
RT_GROUP_ICON	0x23ee9c	0x3e	data			0.8064516129032258
RT_VERSION	0x23eedc	0x2cc	data	English	United States	0.4175977653631285
RT_MANIFEST	0x23f1a8	0x48f	XML 1.0 document, ASCII text			0.40102827763496146

Imports

DLL	Import
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, InitializeCriticalSection, LeaveCriticalSection, RaiseException, RtlUnwindEx, VirtualQuery, __C_specific_handler
msvcrt.dll	__getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _fpreset, _initterm, abort, atexit, calloc, exit, fprintf, free, fwrite, malloc, memcmp, memcpy, memmove, memset, signal, strlen, strncmp, vfprintf
ntdll.dll	NtReadFile, NtWriteFile, RtlCaptureContext, RtlLookupFunctionEntry, RtlNtStatusToDosError, RtlVirtualUnwind
advapi32.dll	GetTokenInformation, OpenProcessToken, SystemFunction036
bcrypt.dll	BCryptGenRandom
kernel32.dll	AddVectoredExceptionHandler, CancelIo, CloseHandle, CompareStringOrdinal, CreateEventW, CreateFileMappingA, CreateFileW, CreateMutexA, CreateNamedPipeW, CreateProcessW, CreateThread, CreateTimerQueue, CreateToolhelp32Snapshot, DeleteProcThreadAttributeList, DeleteTimerQueue, DuplicateHandle, ExitProcess, FindClose, FindFirstFileExW, FormatMessageW, FreeEnvironmentStringsW, GetCommandLineW, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFullPathNameW, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetStdHandle, GetSystemDirectoryW, GetWindowsDirectoryW, HeapAlloc, HeapCreate, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, InitializeProcThreadAttributeList, LoadLibraryA, MapViewOfFile, Module32FirstW, Module32NextW, MultiByteToWideChar, Process32FirstW, Process32NextW, ReadFile, ReadFileEx, SetEvent, SetFileInformationByHandle, SetFilePointerEx, SetLastError, SetThreadStackGuarantee, SetUnhandledExceptionFilter, Sleep, SleepEx, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnmapViewOfFile, UpdateProcThreadAttribute, VirtualProtect, WaitForMultipleObjects, WaitForSingleObject, WriteConsoleW, WriteFileEx
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
bcryptprimitives.dll	ProcessPrng

Version Infos

Description	Data
CompanyName	Lethal_Setup.exe
FileDescription	Lethal_Setup.exe
FileVersion	1.51.16.4467
LegalTrademarks	Lethal_Setup.exe is a trademark of Lethal_Setup.exe Systems
ProductName	Lethal_Setup.exe
ProductVersion	1.51.16.4467
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2025 14:17:00.264781952 CET	49710	80	192.168.2.12	34.117.59.81
Feb 22, 2025 14:17:00.269963026 CET	80	49710	34.117.59.81	192.168.2.12
Feb 22, 2025 14:17:00.270066023 CET	49710	80	192.168.2.12	34.117.59.81
Feb 22, 2025 14:17:00.272774935 CET	49710	80	192.168.2.12	34.117.59.81
Feb 22, 2025 14:17:00.279818058 CET	80	49710	34.117.59.81	192.168.2.12
Feb 22, 2025 14:17:00.768883944 CET	80	49710	34.117.59.81	192.168.2.12
Feb 22, 2025 14:17:00.811897993 CET	49710	80	192.168.2.12	34.117.59.81
Feb 22, 2025 14:17:19.085326910 CET	49715	80	192.168.2.12	109.120.178.136
Feb 22, 2025 14:17:19.090498924 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:19.090584993 CET	49715	80	192.168.2.12	109.120.178.136
Feb 22, 2025 14:17:19.091092110 CET	49715	80	192.168.2.12	109.120.178.136
Feb 22, 2025 14:17:19.093477011 CET	49710	80	192.168.2.12	34.117.59.81
Feb 22, 2025 14:17:19.096085072 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:19.099683046 CET	80	49710	34.117.59.81	192.168.2.12
Feb 22, 2025 14:17:19.099757910 CET	49710	80	192.168.2.12	34.117.59.81
Feb 22, 2025 14:17:19.475317955 CET	49715	80	192.168.2.12	109.120.178.136
Feb 22, 2025 14:17:19.480592966 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:19.480607986 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:19.480623960 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:19.480633020 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:19.480642080 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:19.480650902 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:19.480659962 CET	49715	80	192.168.2.12	109.120.178.136
Feb 22, 2025 14:17:19.480679989 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:19.480690002 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:19.480698109 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:19.480706930 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:19.485872030 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:19.742886066 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:19.796308994 CET	49715	80	192.168.2.12	109.120.178.136
Feb 22, 2025 14:17:19.891349077 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:19.936971903 CET	49715	80	192.168.2.12	109.120.178.136
Feb 22, 2025 14:17:20.084640980 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:20.096858978 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:20.096925974 CET	49715	80	192.168.2.12	109.120.178.136
Feb 22, 2025 14:17:20.096935987 CET	80	49715	109.120.178.136	192.168.2.12
Feb 22, 2025 14:17:20.096982956 CET	49715	80	192.168.2.12	109.120.178.136
Feb 22, 2025 14:17:20.099819899 CET	49715	80	192.168.2.12	109.120.178.136
Feb 22, 2025 14:17:20.105302095 CET	80	49715	109.120.178.136	192.168.2.12

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2025 14:17:00.238945007 CET	50660	53	192.168.2.12	1.1.1.1
Feb 22, 2025 14:17:00.247761011 CET	53	50660	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 22, 2025 14:17:00.238945007 CET	192.168.2.12	1.1.1.1	0xaf4e	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 22, 2025 14:17:00.247761011 CET	1.1.1.1	192.168.2.12	0xaf4e	No error (0)	ipinfo.io		34.117.59.81	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

109.120.178.136

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49710	34.117.59.81	80	6508	C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Timestamp	Bytes transferred	Direction	Data
Feb 22, 2025 14:17:00.272774935 CET	63	OUT	GET /json HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
Feb 22, 2025 14:17:00.768883944 CET	590	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 321 content-type: application/json; charset=utf-8 date: Sat, 22 Feb 2025 13:17:00 GMT x-content-type-options: nosniff via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 0a 20 20 22 72 65 61 64 6d 65 22 3a 20 22 68 74 74 70 73 3a 2f 2f 69 70 69 6e 66 6f 2e 69 6f 2f 6d 69 73 73 69 6e 67 61 75 74 68 22 0a 7d Data Ascii: { "ip": "8.46.123.189", "hostname": "static-cpe-8-46-123-189.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "America/New_York", "readme": "https://ipinfo.io/missingauth"}

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_a555f0a0f37f99728ae634191c97c345ec5b52_e0395ca8_74604103-7a23-4823-9edf-88a70e5bd849\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E83.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA27C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2AB.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe