Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe
Analysis ID:	1663899
MD5:	44269f3383c745b0656f94ebdf04bb4c
SHA1:	c5406153af11c61f10cbc1d49cec53654d3649f0
SHA256:	0303f9d6082240e16f0d503cf900f5f378a5cf906088a7c6312f58ad50472d8a
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

GhostRat

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected GhostRat

.NET source code contains potential unpacker

AI detected suspicious PE digital signature

Drops VBS files to the startup folder

Drops large PE files

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Modifies the context of a thread in another process (thread injection)

Sigma detected: Silenttrinity Stager Msbuild Activity

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to detect virtual machines (SLDT)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe (PID: 6700 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe" MD5: 44269F3383C745B0656F94EBDF04BB4C)

MSBuild.exe (PID: 7428 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" MD5: 2EDD0B288FE2459DA84E4274D1942343)

wscript.exe (PID: 7396 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

overmelod.exe (PID: 7468 cmdline: "C:\Users\user\AppData\Local\Temp\overmelod.exe" MD5: 55F39A32209CCB51775828EB07A3DA96)

MSBuild.exe (PID: 7632 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" MD5: 2EDD0B288FE2459DA84E4274D1942343)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1344510463.0000018E54D9E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1328830902.0000018E42421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.1371837193.0000018884671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1655849966.0000018E5B780000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000009.00000002.1416648850.0000018895C72000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe PID: 6700	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Process Memory Space: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe PID: 6700	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: overmelod.exe PID: 7468	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e5b780000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e5b780000.8.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 104.26.12.205, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7428, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49723

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs" , ProcessId: 7396, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs" , ProcessId: 7396, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, ProcessId: 6700, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs

Suricata Signatures

ET MALWARE Aurotun Stealer CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-12T21:33:35.618499+0200	2061200	1	A Network Trojan was detected	192.168.2.4	49720	45.227.252.199	7712	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\overmelod.exe

Avira: detection malicious, Label: HEUR/AGEN.1313033

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	ReversingLabs: Detection: 19%
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Virustotal: Detection: 20%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 100.0%

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E531F1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_249974ab-b

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49723 version: TLS 1.2

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328579698.0000018E40B20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328579698.0000018E40B20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E54FD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328394989.0000018E40AB0000.00000004.08000000.00040000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894791000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E54FD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328394989.0000018E40AB0000.00000004.08000000.00040000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894791000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: .pdbz?x source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr

Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 4x nop then jmp 00007FFC3DDB1576h	9_2_00007FFC3DDB136E
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 4x nop then jmp 00007FFC3DF76A23h	9_2_00007FFC3DF765FB
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 4x nop then jmp 00007FFC3DF76A23h	9_2_00007FFC3DF76A16

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2061200 - Severity 1 - ET MALWARE Aurotun Stealer CnC Checkin : 192.168.2.4:49720 -> 45.227.252.199:7712

Source: global traffic

TCP traffic: 192.168.2.4:49720 -> 45.227.252.199:7712

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

ASN Name: WS171-ASRU WS171-ASRU

Source: Joe Sandbox View

JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 45.227.252.199
Source: unknown	TCP traffic detected without corresponding DNS query: 45.227.252.199
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 45.227.252.199
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 45.227.252.199
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 45.227.252.199
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.227.252.199
Source: unknown	TCP traffic detected without corresponding DNS query: 45.227.252.199
Source: unknown	TCP traffic detected without corresponding DNS query: 45.227.252.199
Source: unknown	TCP traffic detected without corresponding DNS query: 45.227.252.199
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 45.227.252.199
Source: unknown	TCP traffic detected without corresponding DNS query: 45.227.252.199

Source: global traffic	HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: c.pki.goog

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328830902.0000018E42421000.00000004.00000800.00020000.00000000.sdmp, overmelod.exe, 00000009.00000002.1371837193.0000018884671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MSBuild.exe, 00000008.00000002.2437053337.000002AB72CDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: MSBuild.exe, 00000008.00000002.2437053337.000002AB72CDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: MSBuild.exe, 00000008.00000002.2437053337.000002AB72CDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/US
Source: MSBuild.exe, 00000008.00000002.2437053337.000002AB72CDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgk
Source: MSBuild.exe, 00000008.00000002.2437053337.000002AB72CDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgptography
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E531F1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E55E73000.00000004.00000800.00020000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018898FA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.1359903279.00000001409BB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E531F1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E55E73000.00000004.00000800.00020000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018898FA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.1359903279.00000001409BB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E531F1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E55E73000.00000004.00000800.00020000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018898FA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.1359903279.00000001409BB000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E54FD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328394989.0000018E40AB0000.00000004.08000000.00040000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E54FD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328394989.0000018E40AB0000.00000004.08000000.00040000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894681000.00000004.00000800.00020000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E54FD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328394989.0000018E40AB0000.00000004.08000000.00040000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E54FD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328394989.0000018E40AB0000.00000004.08000000.00040000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E54FD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328830902.0000018E42421000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328394989.0000018E40AB0000.00000004.08000000.00040000.00000000.sdmp, overmelod.exe, 00000009.00000002.1371837193.0000018884671000.00000004.00000800.00020000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E54FD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328394989.0000018E40AB0000.00000004.08000000.00040000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49723 version: TLS 1.2

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

File dump: overmelod.exe.0.dr 298710982

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Code function: 0_2_00007FFC3DD97080	0_2_00007FFC3DD97080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Code function: 0_2_00007FFC3DD90510	0_2_00007FFC3DD90510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Code function: 0_2_00007FFC3DD9D0F0	0_2_00007FFC3DD9D0F0
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DDB73C9	9_2_00007FFC3DDB73C9
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DDBBDD4	9_2_00007FFC3DDBBDD4
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DD97080	9_2_00007FFC3DD97080
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DD90510	9_2_00007FFC3DD90510
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DD9D0F0	9_2_00007FFC3DD9D0F0
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF59BB8	9_2_00007FFC3DF59BB8
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF59BD8	9_2_00007FFC3DF59BD8
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF59C18	9_2_00007FFC3DF59C18
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF5DFD1	9_2_00007FFC3DF5DFD1
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF5DFF0	9_2_00007FFC3DF5DFF0
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF5781D	9_2_00007FFC3DF5781D
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF51C8D	9_2_00007FFC3DF51C8D
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF5EE48	9_2_00007FFC3DF5EE48
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF5EE58	9_2_00007FFC3DF5EE58
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF5830F	9_2_00007FFC3DF5830F
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF5D214	9_2_00007FFC3DF5D214
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF6CD10	9_2_00007FFC3DF6CD10
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF71B2D	9_2_00007FFC3DF71B2D
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF6D449	9_2_00007FFC3DF6D449
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF782E5	9_2_00007FFC3DF782E5
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF731A1	9_2_00007FFC3DF731A1

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Static PE information: invalid certificate

Source: overmelod.exe.0.dr	Static PE information: No import functions for PE file found
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E54FD8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E529ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRdvlcvkrhps.dll" vs SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328579698.0000018E40B20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328394989.0000018E40AB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000000.1194583552.0000018E406DC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametl_test_video.exe: vs SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Binary or memory string: OriginalFilenametl_test_video.exe: vs SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, abl.cs	Cryptographic APIs: 'CreateDecryptor'
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, zu.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40b20000.1.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40b20000.1.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40b20000.1.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40b20000.1.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40b20000.1.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40b20000.1.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40b20000.1.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40b20000.1.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40b20000.1.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40b20000.1.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@8/2@2/3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rkodxebqn
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutant-3563EDB20EFE8B836FF5BB7F6C4FB7D17B73C53114B51E5BABA26D2280D33D9C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

File created: C:\Users\user\AppData\Local\Temp\overmelod.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs"

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E529ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E559D8000.00000004.00000800.00020000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.00000188952B8000.00000004.00000800.00020000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018898B4B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.1359903279.0000000140000000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E529ED000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E559D8000.00000004.00000800.00020000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.00000188952B8000.00000004.00000800.00020000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018898B4B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.1359903279.0000000140000000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	ReversingLabs: Detection: 19%
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Virustotal: Detection: 20%

Source: MSBuild.exe	String found in binary or memory: Accept-Additions
Source: MSBuild.exe	String found in binary or memory: List-Help
Source: MSBuild.exe	String found in binary or memory: MMHS-Exempted-Address
Source: MSBuild.exe	String found in binary or memory: Originator-Return-Address

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\overmelod.exe "C:\Users\user\AppData\Local\Temp\overmelod.exe"
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\overmelod.exe "C:\Users\user\AppData\Local\Temp\overmelod.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Static file information: File size 6614144 > 1048576

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x618800

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328579698.0000018E40B20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328579698.0000018E40B20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E54FD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328394989.0000018E40AB0000.00000004.08000000.00040000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894791000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E54FD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328394989.0000018E40AB0000.00000004.08000000.00040000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894791000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: .pdbz?x source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40b20000.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40b20000.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40b20000.1.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40ab0000.0.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40ab0000.0.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40ab0000.0.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40ab0000.0.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e40ab0000.0.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e5b780000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe.18e5b780000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1344510463.0000018E54D9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1328830902.0000018E42421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1371837193.0000018884671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655849966.0000018E5B780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1416648850.0000018895C72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe PID: 6700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: overmelod.exe PID: 7468, type: MEMORYSTR

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Static PE information: real checksum: 0x652a98 should be: 0x650542

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Code function: 0_2_00007FFC3DD900BD pushad ; iretd	0_2_00007FFC3DD900C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Code function: 0_2_00007FFC3DE3C350 push es; ret	0_2_00007FFC3DE3C351
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Code function: 0_2_00007FFC3DF46F75 push eax; iretd	0_2_00007FFC3DF46F76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Code function: 0_2_00007FFC3DF4B670 push ds; iretd	0_2_00007FFC3DF4B671
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DDC3E78 pushad ; retf	9_2_00007FFC3DDC3F59
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DDC55CB push ebx; iretd	9_2_00007FFC3DDC55DA
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DDC3F6D pushad ; retf	9_2_00007FFC3DDC3F59
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DD900BD pushad ; iretd	9_2_00007FFC3DD900C1
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF58C50 push eax; ret	9_2_00007FFC3DF58CBC
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF46F75 push eax; iretd	9_2_00007FFC3DF46F76
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF85487 push ds; iretd	9_2_00007FFC3DF8556F
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Code function: 9_2_00007FFC3DF75921 push ds; retf	9_2_00007FFC3DF7596F

Persistence and Installation Behavior

AI detected suspicious PE digital signature

Source: Initial sample

Joe Sandbox AI: Detected suspicious elements in PE signature: Multiple high-risk indicators present: 1) Signature is invalid with verification failure - critical red flag. 2) Organization 'FLASH-INTEGRO LLC' from Uzbekistan (UZ) raises concerns due to geographic location and limited reputation. 3) Compilation timestamp (Apr 9, 2025) is very recent and close to current date (Apr 12, 2025), which is common in malware. 4) While Sectigo is a known Certificate Authority, the invalid signature nullifies any trust. 5) The certificate is technically still within validity period (Nov 2022 - Nov 2025) but the signature validation failure overrides this. The combination of an invalid signature, recent compilation, and entity from a higher-risk region strongly suggests this is likely malicious code.

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

File created: C:\Users\user\AppData\Local\Temp\overmelod.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328830902.0000018E42421000.00000004.00000800.00020000.00000000.sdmp, overmelod.exe, 00000009.00000002.1371837193.0000018884671000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Memory allocated: 18E40930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Memory allocated: 18E5A420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Memory allocated: 188829C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Memory allocated: 1889C670000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\overmelod.exe

Code function: 9_2_00007FFC3DF7C998 sldt word ptr [eax]

9_2_00007FFC3DF7C998

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: wscript.exe, 00000007.00000002.1346135673.0000022E82374000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
Source: MSBuild.exe, 0000000B.00000002.1393835741.000001A0F3EE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>>A
Source: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E529ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmCipcst1pNSXsKUbtH
Source: wscript.exe, 00000007.00000002.1346135673.0000022E82374000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\-
Source: overmelod.exe, 00000009.00000002.1371837193.0000018884671000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: overmelod.exe, 00000009.00000002.1371837193.0000018884671000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: MSBuild.exe, 00000008.00000002.2437053337.000002AB72CDF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZZ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtQueryValueKey: Direct from: 0x7FFC9B783695	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	NtUnmapViewOfSection: Direct from: 0x7FFC3DF9F1B6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtResumeThread: Direct from: 0x7FFC3DF9E44C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtClose: Direct from: 0x7FFC9B6D0CB8
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtSetInformationProcess: Direct from: 0x7FFC9D2DFF46	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9D2E0906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtProtectVirtualMemory: Direct from: 0x7FFC3DF9B599	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtQueryAttributesFile: Direct from: 0x7FFC9D35BC4A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtOpenKeyEx: Direct from: 0x7FFC9B787FC1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtWriteVirtualMemory: Direct from: 0x7FFC3DF9D632	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	NtProtectVirtualMemory: Direct from: 0x7FFC3DF9D659	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	NtResumeThread: Direct from: 0x7FFC3DFA07FC	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	NtReadFile: Direct from: 0x7FFC9B77C9C8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtQueryValueKey: Direct from: 0x7FFC9B7855C5	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	NtDeviceIoControlFile: Direct from: 0x7FFC9D42F207	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	NtAdjustPrivilegesToken: Direct from: 0x7FFC9A841BEC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtUnmapViewOfSection: Direct from: 0x7FFC3DF9CE06	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtQueryValueKey: Direct from: 0x7FFC99DB1DC5	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	NtQueryVolumeInformationFile: Direct from: 0x7FFC9B78734C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtSetInformationProcess: Direct from: 0x7FFC9D2DFF6B	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	NtSetTimerEx: Direct from: 0x7FFCC36E26A1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	NtQueryInformationToken: Direct from: 0x7FFC9D3167CB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtOpenFile: Direct from: 0x7FFC9D3632D3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtClose: Direct from: 0x7FFC9AC99A3C
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtQuerySystemInformation: Direct from: 0x7FFC9D2A53EE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtQuerySystemInformation: Direct from: 0x7FFC9A841285	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtOpenKeyEx: Direct from: 0x7FFC9D3587B7	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtProtectVirtualMemory: Direct from: 0x7FFC9D2DFF57	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtMapViewOfSection: Direct from: 0x7FFC9D37A7F5	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	NtDelayExecution: Direct from: 0x7FFC9D285073	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtSetContextThread: Direct from: 0x7FFC3DF9DBB6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtReadFile: Direct from: 0x7FFC9D375F36	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	NtQueryValueKey: Direct from: 0x7FFC9B784413	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	NtCreateFile: Direct from: 0x7FFC9B78517F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtClose: Direct from: 0x7FFC9B78713F
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtClose: Direct from: 0x7FFC9D375F5A
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	NtCreateFile: Direct from: 0x7FFC9D375FD7	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	NtSetContextThread: Direct from: 0x7FFC3DF9FF66	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	NtWriteVirtualMemory: Direct from: 0x7FFC3DF9F9E2	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140000000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140000000 value starts with: 4D5A			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Thread register set: target process: 7428			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Thread register set: target process: 7632			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140000000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140001000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140833000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140A8F000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140AD9000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140B29000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140B2A000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: D791CA6010	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140000000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140001000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140833000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140A8F000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140AD9000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140B29000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 140B2A000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: 86F300E010	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\overmelod.exe "C:\Users\user\AppData\Local\Temp\overmelod.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\overmelod.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\overmelod.exe VolumeInformation			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

Code function: 11_2_00000001407B4F8C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

11_2_00000001407B4F8C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe PID: 6700, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe PID: 6700, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	2 Command and Scripting Interpreter	111 Scripting	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	12 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	311 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	2 Obfuscated Files or Information	NTDS	11 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Registry Run Keys / Startup Folder	1 Software Packing	LSA Secrets	2 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	311 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	19%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	21%	Virustotal		Browse
SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	100%	Avira	HEUR/AGEN.1304644
SAMPLE	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\overmelod.exe	100%	Avira	HEUR/AGEN.1313033

Source	Detection	Scanner	Label	Link
https://api.ipify.orgptography	0%	Avira URL Cloud	safe
https://api.ipify.orgk	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
api.ipify.org	104.26.12.205	true	false	high
pki-goog.l.google.com	172.217.215.94	true	false	high
c.pki.goog	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://c.pki.goog/r/r4.crl	false		high
http://c.pki.goog/r/gsr1.crl	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	MSBuild.exe, 00000008.00000002.2437053337.000002AB72CDF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org/US	MSBuild.exe, 00000008.00000002.2437053337.000002AB72CDF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.orgk	MSBuild.exe, 00000008.00000002.2437053337.000002AB72CDF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	false		high
https://stackoverflow.com/q/14436606/23354	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E54FD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328830902.0000018E42421000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328394989.0000018E40AB0000.00000004.08000000.00040000.00000000.sdmp, overmelod.exe, 00000009.00000002.1371837193.0000018884671000.00000004.00000800.00020000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894791000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E54FD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328394989.0000018E40AB0000.00000004.08000000.00040000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894681000.00000004.00000800.00020000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894791000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	false		high
http://ocsp.sectigo.com0	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	false		high
https://curl.se/docs/http-cookies.html	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E531F1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E55E73000.00000004.00000800.00020000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018898FA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.1359903279.00000001409BB000.00000040.00000400.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	false		high
https://github.com/mgravell/protobuf-net	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E54FD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328394989.0000018E40AB0000.00000004.08000000.00040000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894791000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	false		high
https://curl.se/docs/alt-svc.html	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E531F1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E55E73000.00000004.00000800.00020000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018898FA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.1359903279.00000001409BB000.00000040.00000400.00020000.00000000.sdmp	false		high
https://curl.se/docs/hsts.html	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E531F1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E55E73000.00000004.00000800.00020000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018898FA0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000B.00000002.1359903279.00000001409BB000.00000040.00000400.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	false		high
https://api.ipify.org	MSBuild.exe, 00000008.00000002.2437053337.000002AB72CDF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-neti	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E54FD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328394989.0000018E40AB0000.00000004.08000000.00040000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894791000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	false		high
https://api.ipify.orgptography	MSBuild.exe, 00000008.00000002.2437053337.000002AB72CDF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/11564914/23354;	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E54FD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328394989.0000018E40AB0000.00000004.08000000.00040000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894791000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1344510463.0000018E54FD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328394989.0000018E40AB0000.00000004.08000000.00040000.00000000.sdmp, overmelod.exe, 00000009.00000002.1416648850.0000018894791000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, 00000000.00000002.1328830902.0000018E42421000.00000004.00000800.00020000.00000000.sdmp, overmelod.exe, 00000009.00000002.1371837193.0000018884671000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, overmelod.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
45.227.252.199	unknown	Panama		41995	WS171-ASRU	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1663899
Start date and time:	2025-04-12 21:32:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@8/2@2/3
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 56% Number of executed functions: 379 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.213.193, 23.64.172.197, 199.232.214.172, 4.245.163.56, 20.242.39.171, 20.109.210.53, 199.232.210.172, 204.79.197.222
Excluded domains from analysis (whitelisted): fp.msedge.net, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, e3913.cd.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com, cac-ocsp.digicert.com.edgekey.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target MSBuild.exe, PID 7632 because there are no executed function
Execution Graph export aborted for target SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe, PID 6700 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:33:24	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	NightGame Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	b8Q7mSvddr.exe	Get hash	malicious	DOENERIUM STEALER	Browse	api.ipify.org/
	70N2w0orPh.exe	Get hash	malicious	DOENERIUM STEALER	Browse	api.ipify.org/
	70N2w0orPh.exe	Get hash	malicious	DOENERIUM STEALER	Browse	api.ipify.org/
	1208_37832604.doc	Get hash	malicious	Hancitor	Browse	api.ipify.org/
	ArenaWarsSetup.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	ue8Q3DCbNG.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	LauncherV9.exe	Get hash	malicious	LummaC Stealer	Browse	api.ipify.org/
	Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=xml
	NightFixed 1.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
45.227.252.199	SecuriteInfo.com.Win64.MalwareX-gen.4322.24447.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pki-goog.l.google.com	SecuriteInfo.com.Trojan.DownLoader48.29860.1293.7282.exe	Get hash	malicious	DcRat	Browse	64.233.185.94
	2zb8yjqduP.dll	Get hash	malicious	Unknown	Browse	74.125.21.94
	GSRuGK48Ex.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	142.250.9.94
	rxm.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	142.251.15.94
	Rd_client_w_a_s_d_patched.exe	Get hash	malicious	LummaC Stealer	Browse	74.125.21.94
	67f525209658e.vbs	Get hash	malicious	LummaC Stealer	Browse	108.177.122.94
	IMSoftware{Launcher}3.21.exe	Get hash	malicious	LummaC Stealer	Browse	142.251.15.94
	SoftWare(2).exe	Get hash	malicious	LummaC Stealer	Browse	74.125.21.94
	SoftWare(1).exe	Get hash	malicious	LummaC Stealer	Browse	74.125.21.94
	Launcher.exe	Get hash	malicious	LummaC Stealer	Browse	173.194.219.94
api.ipify.org	https://www.canva.com/design/DAGkPkwDgSg/u9VDlBP5gFpCWakWq8SpPQ/view?utm_content=DAGkPkwDgSg&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=hc42c7e8522	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.26.13.205
	SecuriteInfo.com.Win64.MalwareX-gen.4322.24447.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://cola-careers.site/apply/id834285345	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://forms.office.com/e/v86Z0QdF5R	Get hash	malicious	Tycoon2FA	Browse	172.67.74.152
	pkbXo7ZcIQ.exe	Get hash	malicious	Meduza Stealer	Browse	104.26.12.205
	New Purchase Order.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://drive.google.com/uc?export=download&id=1FYPPFFRzb0m4iLuTzYE2x-LVa2_xHVD0	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	FAV.ps1	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	PtOrnXcy.exe.bin.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Request for Quotation #3200025006.PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
bg.microsoft.map.fastly.net	SecuriteInfo.com.Trojan.DownLoader48.29860.1293.7282.exe	Get hash	malicious	DcRat	Browse	199.232.210.172
	support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.210.172
	support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.210.172
	jre-8u441-windows-x64.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	jre-8u441-windows-x64.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	AxgHj313r7.exe	Get hash	malicious	Rhysida, TrojanRansom	Browse	199.232.210.172
	Dd73LmElYt.ppt	Get hash	malicious	Unknown	Browse	199.232.214.172
	Dd73LmElYt.ppt	Get hash	malicious	Unknown	Browse	199.232.210.172
	GSRuGK48Ex.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	199.232.210.172
	rxm.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://chrissys-marshall-site.webflow.io/	Get hash	malicious	Unknown	Browse	104.21.96.1
	support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.21.48.239
	support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	172.67.157.1
	QuarantineMessage.zip	Get hash	malicious	HTMLPhisher	Browse	104.16.117.116
	https://webshuaw.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	162.247.243.29
	SecuriteInfo.com.Win32.MalwareX-gen.25317.7450.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	SecuriteInfo.com.Win32.MalwareX-gen.25317.7450.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	M605aSgwAR.exe	Get hash	malicious	Unknown	Browse	104.21.91.46
	ZcvUiE3Wl5.exe	Get hash	malicious	Unknown	Browse	172.67.166.185
	M605aSgwAR.exe	Get hash	malicious	Unknown	Browse	104.21.91.46
WS171-ASRU	SecuriteInfo.com.Win64.MalwareX-gen.4322.24447.exe	Get hash	malicious	Unknown	Browse	45.227.252.199
	https://digitaleconomy.space/wp-content/plugins/ultrapress/packages/background-image-cropper/oueupr.php?xtt=7up620k	Get hash	malicious	Unknown	Browse	88.214.27.56
	Radico-Asia_Star-PO-2024-0102.pdf.exe	Get hash	malicious	Remcos, DBatLoader	Browse	185.222.163.245
	https://bit.ly/3RPzJ7A	Get hash	malicious	Porn Scam	Browse	88.214.27.36
	file.exe	Get hash	malicious	Djvu, SmokeLoader	Browse	85.217.144.143
	file.exe	Get hash	malicious	Glupteba, SmokeLoader, Vidar	Browse	85.217.144.143
	file.exe	Get hash	malicious	Glupteba, SmokeLoader, Vidar	Browse	85.217.144.143
	file.exe	Get hash	malicious	Glupteba, Neoreklami, Phonk Miner, RedLine, SmokeLoader, Vidar	Browse	85.217.144.143
	file.exe	Get hash	malicious	Glupteba, SmokeLoader	Browse	85.217.144.143
	file.exe	Get hash	malicious	PrivateLoader, RedLine, SmokeLoader	Browse	85.217.144.143

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bd0bf25947d4a37404f0424edf4db9ad	M605aSgwAR.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	ZcvUiE3Wl5.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	M605aSgwAR.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	SecuriteInfo.com.Win64.MalwareX-gen.4322.24447.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	pkbXo7ZcIQ.exe	Get hash	malicious	Meduza Stealer	Browse	104.26.12.205
	BuNsxf1fHN	Get hash	malicious	Unknown	Browse	104.26.12.205
	7 copy2.xlsm	Get hash	malicious	Unknown	Browse	104.26.12.205
	Spartacus.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	Spartacus.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	cagWUQ0Cti.xlsm	Get hash	malicious	Unknown	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	298710982
Entropy (8bit):	7.999984125109136
Encrypted:	true
SSDEEP:
MD5:	55F39A32209CCB51775828EB07A3DA96
SHA1:	D451124F2ACF67A88B08C827DD5F52F1661FC498
SHA-256:	22EFFE43A7A53A24B2A2397431FEADACD2D9B2B04D9B5A124636D48E9668CA27
SHA-512:	67EC3AC0C7392D7CC8DDDF3703EF745EDB5538521226C29C9976944C09848AA9CA653EB16B2D910104209098FD4A2D2E723B53A66C19E5B5FBDCCF34A7DECD48
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g..........".......a..4........... ....@...... ........................e......e...`...........................................................a..4............d.............................................................................. ..H............text.....a.. ....a................. ..`.rsrc....4....a..4....a.............@..@........................................H........._.P.................]..........................................0.......... ..P....(....&..0.......... ..P....(....&..0..(....... .P.(....o.....(....o....(......(....&.0..(....... d.P.(....o.....(....o....(......(....&.0.......... 8.P....(....&..0.......... .P....(....&..0.......... ..P....(....&J.(q...}.....(.......0..,....... :.P.(....o.....(....o....(......(....t.....0................%.... .@P....(....t.......0.......... .@P....(....t......(....*..0..7.......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	87
Entropy (8bit):	4.7207804462415135
Encrypted:	false
SSDEEP:	3:FER/n0eFHHot+kiE2J5xAIkBJn:FER/lFHIwkn23fkP
MD5:	9764AA7705080A02861E7FE11FF83EAA
SHA1:	5DAAF14465670ABD329D11D05D01FA531553838B
SHA-256:	382697C98158FAE6A7F9DED8422033545DDA0F91DA61A83042D56545AB6AC547
SHA-512:	B80CFE1EEC17C9F1C06EA7D1F47FE5888BA7CE1DBD1D78C96FA38A923C86703EE3CF86E579B8CEF124FDFD7AF19CB2DC54B2021E9BEE64877E3D5BA6ADBB112B
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Local\Temp\overmelod.exe"""

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.980429501111477
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe
File size:	6'614'144 bytes
MD5:	44269f3383c745b0656f94ebdf04bb4c
SHA1:	c5406153af11c61f10cbc1d49cec53654d3649f0
SHA256:	0303f9d6082240e16f0d503cf900f5f378a5cf906088a7c6312f58ad50472d8a
SHA512:	d8ae4b5a27fb05e936f604b320ae575ae41ba58aefd140e0f218fbaec02e099a230456829cb1425f10c8d49f464d4838bc8e74ffcec72553ab9dcc7c1806fa39
SSDEEP:	196608:6/kwAaMPhvv4IBhYJqbqEq3JYByB3FvBBnf4:68NaMPhvv42KJzFwyBvJf4
TLSH:	4666230A9EF8AF4CCE8D5276B7C41962C83805361AD5E32D99895CDC79EE33F81489C7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g..........".......a..4........... ....@...... ........................e......*e...`................................

File Icon


Icon Hash:	5fc1c131094d9e07

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67F69688 [Wed Apr 9 15:47:20 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	11/04/2022 01:00:00 11/04/2025 00:59:59
Subject Chain	CN=FLASH-INTEGRO LLC, O=FLASH-INTEGRO LLC, S=Toshkent, C=UZ
Version:	3
Thumbprint MD5:	87868FADE2CE1EF98CC36261B4E35B35
Thumbprint SHA-1:	BBA5B7F9BC2BF9447B4AC9061935B4178FBFBCDE
Thumbprint SHA-256:	690FE7D1A1176892A26FD6867440623E6D8443CA2026E86E6C9F9DB68BBAC043
Serial:	00EEC85D0449E4B3B5DA7FE2D58B77E339

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x61c000	0x33400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x64be00	0x2e80	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x618710	0x618800	ac49de37116f3b0f9f69dc5d80e85c0a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x61c000	0x33400	0x33400	ab87f8ea0290c0b6cf18edc0f005ea26	False	0.2387528582317073	data	6.938661643278315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x61c6cc	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	French	France	0.5714285714285714
RT_CURSOR	0x61c800	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0x61c934	0x134	data			0.4642857142857143
RT_CURSOR	0x61ca68	0x134	data			0.4805194805194805
RT_CURSOR	0x61cb9c	0x134	data			0.38311688311688313
RT_CURSOR	0x61ccd0	0x134	data			0.36038961038961037
RT_CURSOR	0x61ce04	0x134	data			0.4090909090909091
RT_CURSOR	0x61cf38	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_ICON	0x61d06c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	French	France	0.6252665245202559
RT_ICON	0x61df14	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	French	France	0.769404332129964
RT_ICON	0x61e7bc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	French	France	0.611271676300578
RT_ICON	0x61ed24	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	French	France	0.3741701244813278
RT_ICON	0x6212cc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	French	France	0.599671669793621
RT_ICON	0x622374	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	French	France	0.725177304964539
RT_RCDATA	0x6227dc	0x10	data			1.5
RT_RCDATA	0x6227ec	0x164	data			0.7837078651685393
RT_RCDATA	0x622950	0x31f	Delphi compiled form 'TVerificationVideoDlg'			0.5857321652065082
RT_RCDATA	0x622c70	0x2c147	Delphi compiled form 'TVerificationVideoInfoDlg'			0.19591694313518065
RT_GROUP_CURSOR	0x64edb8	0x14	Lotus unknown worksheet or configuration, revision 0x1	French	France	1.25
RT_GROUP_CURSOR	0x64edcc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x64ede0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x64edf4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x64ee08	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x64ee1c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x64ee30	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x64ee44	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x64ee58	0x5a	data	French	France	0.7222222222222222
RT_VERSION	0x64eeb4	0x388	data	French	France	0.4668141592920354
RT_MANIFEST	0x64f23c	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Version Infos

Description	Data
CompanyName	dit par AxBx
FileDescription	TestLAB 2008 : contrle vido
FileVersion	8.0.0.0
InternalName	tl_test_video.exe
LegalCopyright	2005-2007 g.snauwaert.
LegalTrademarks	TestLAB est une marque dpose.
OriginalFilename	tl_test_video.exe
ProductName	TestLAB 2008
ProductVersion	8.0.0
Comments
Translation	0x040c 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
French	France
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-04-12T21:33:35.618499+0200	2061200	ET MALWARE Aurotun Stealer CnC Checkin	1	192.168.2.4	49720	45.227.252.199	7712	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2025 21:33:19.668581009 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 12, 2025 21:33:19.980845928 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 12, 2025 21:33:20.590303898 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 12, 2025 21:33:21.793467999 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 12, 2025 21:33:24.199738979 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 12, 2025 21:33:28.601553917 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 12, 2025 21:33:28.902892113 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 12, 2025 21:33:29.012208939 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 12, 2025 21:33:29.512293100 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 12, 2025 21:33:30.715343952 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 12, 2025 21:33:33.121761084 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 12, 2025 21:33:34.686091900 CEST	49720	7712	192.168.2.4	45.227.252.199
Apr 12, 2025 21:33:34.912079096 CEST	7712	49720	45.227.252.199	192.168.2.4
Apr 12, 2025 21:33:34.912198067 CEST	49720	7712	192.168.2.4	45.227.252.199
Apr 12, 2025 21:33:35.032944918 CEST	49723	443	192.168.2.4	104.26.12.205
Apr 12, 2025 21:33:35.033066034 CEST	443	49723	104.26.12.205	192.168.2.4
Apr 12, 2025 21:33:35.033133030 CEST	49723	443	192.168.2.4	104.26.12.205
Apr 12, 2025 21:33:35.037693024 CEST	49723	443	192.168.2.4	104.26.12.205
Apr 12, 2025 21:33:35.037774086 CEST	443	49723	104.26.12.205	192.168.2.4
Apr 12, 2025 21:33:35.049743891 CEST	49681	80	192.168.2.4	2.17.190.73
Apr 12, 2025 21:33:35.272722006 CEST	443	49723	104.26.12.205	192.168.2.4
Apr 12, 2025 21:33:35.272937059 CEST	49723	443	192.168.2.4	104.26.12.205
Apr 12, 2025 21:33:35.355853081 CEST	49681	80	192.168.2.4	2.17.190.73
Apr 12, 2025 21:33:35.547766924 CEST	49713	443	192.168.2.4	131.253.33.254
Apr 12, 2025 21:33:35.550297022 CEST	49713	443	192.168.2.4	131.253.33.254
Apr 12, 2025 21:33:35.550332069 CEST	49713	443	192.168.2.4	131.253.33.254
Apr 12, 2025 21:33:35.618029118 CEST	49723	443	192.168.2.4	104.26.12.205
Apr 12, 2025 21:33:35.618314028 CEST	443	49723	104.26.12.205	192.168.2.4
Apr 12, 2025 21:33:35.618499041 CEST	49720	7712	192.168.2.4	45.227.252.199
Apr 12, 2025 21:33:35.618530035 CEST	49723	443	192.168.2.4	104.26.12.205
Apr 12, 2025 21:33:35.669435978 CEST	443	49713	131.253.33.254	192.168.2.4
Apr 12, 2025 21:33:35.671518087 CEST	443	49713	131.253.33.254	192.168.2.4
Apr 12, 2025 21:33:35.671576023 CEST	443	49713	131.253.33.254	192.168.2.4
Apr 12, 2025 21:33:35.671595097 CEST	49713	443	192.168.2.4	131.253.33.254
Apr 12, 2025 21:33:35.671612024 CEST	443	49713	131.253.33.254	192.168.2.4
Apr 12, 2025 21:33:35.671627045 CEST	49713	443	192.168.2.4	131.253.33.254
Apr 12, 2025 21:33:35.671647072 CEST	443	49713	131.253.33.254	192.168.2.4
Apr 12, 2025 21:33:35.672647953 CEST	49713	443	192.168.2.4	131.253.33.254
Apr 12, 2025 21:33:35.674892902 CEST	443	49713	131.253.33.254	192.168.2.4
Apr 12, 2025 21:33:35.674942017 CEST	443	49713	131.253.33.254	192.168.2.4
Apr 12, 2025 21:33:35.674966097 CEST	49713	443	192.168.2.4	131.253.33.254
Apr 12, 2025 21:33:35.674985886 CEST	49713	443	192.168.2.4	131.253.33.254
Apr 12, 2025 21:33:35.685224056 CEST	49713	443	192.168.2.4	131.253.33.254
Apr 12, 2025 21:33:35.794043064 CEST	443	49713	131.253.33.254	192.168.2.4
Apr 12, 2025 21:33:35.806541920 CEST	443	49713	131.253.33.254	192.168.2.4
Apr 12, 2025 21:33:35.809057951 CEST	443	49713	131.253.33.254	192.168.2.4
Apr 12, 2025 21:33:35.809164047 CEST	443	49713	131.253.33.254	192.168.2.4
Apr 12, 2025 21:33:35.809303045 CEST	49713	443	192.168.2.4	131.253.33.254
Apr 12, 2025 21:33:35.809303999 CEST	49713	443	192.168.2.4	131.253.33.254
Apr 12, 2025 21:33:35.845519066 CEST	7712	49720	45.227.252.199	192.168.2.4
Apr 12, 2025 21:33:35.881369114 CEST	49728	80	192.168.2.4	172.217.215.94
Apr 12, 2025 21:33:35.887141943 CEST	49720	7712	192.168.2.4	45.227.252.199
Apr 12, 2025 21:33:35.965231895 CEST	49681	80	192.168.2.4	2.17.190.73
Apr 12, 2025 21:33:35.988195896 CEST	80	49728	172.217.215.94	192.168.2.4
Apr 12, 2025 21:33:35.988296032 CEST	49728	80	192.168.2.4	172.217.215.94
Apr 12, 2025 21:33:35.988981962 CEST	49728	80	192.168.2.4	172.217.215.94
Apr 12, 2025 21:33:36.095554113 CEST	80	49728	172.217.215.94	192.168.2.4
Apr 12, 2025 21:33:36.096103907 CEST	80	49728	172.217.215.94	192.168.2.4
Apr 12, 2025 21:33:36.096167088 CEST	80	49728	172.217.215.94	192.168.2.4
Apr 12, 2025 21:33:36.098462105 CEST	49728	80	192.168.2.4	172.217.215.94
Apr 12, 2025 21:33:36.403522015 CEST	49728	80	192.168.2.4	172.217.215.94
Apr 12, 2025 21:33:36.511707067 CEST	80	49728	172.217.215.94	192.168.2.4
Apr 12, 2025 21:33:36.558996916 CEST	49728	80	192.168.2.4	172.217.215.94
Apr 12, 2025 21:33:37.168395042 CEST	49681	80	192.168.2.4	2.17.190.73
Apr 12, 2025 21:33:37.980961084 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 12, 2025 21:33:38.715364933 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 12, 2025 21:33:39.684005022 CEST	49681	80	192.168.2.4	2.17.190.73
Apr 12, 2025 21:33:44.684000015 CEST	49681	80	192.168.2.4	2.17.190.73
Apr 12, 2025 21:33:47.684145927 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 12, 2025 21:33:51.114450932 CEST	7712	49720	45.227.252.199	192.168.2.4
Apr 12, 2025 21:33:51.114541054 CEST	49720	7712	192.168.2.4	45.227.252.199
Apr 12, 2025 21:33:54.293440104 CEST	49681	80	192.168.2.4	2.17.190.73
Apr 12, 2025 21:34:02.168682098 CEST	49710	80	192.168.2.4	172.64.149.23
Apr 12, 2025 21:34:02.168730974 CEST	49711	80	192.168.2.4	172.64.149.23
Apr 12, 2025 21:34:02.168762922 CEST	49709	80	192.168.2.4	172.64.149.23
Apr 12, 2025 21:34:02.275126934 CEST	80	49711	172.64.149.23	192.168.2.4
Apr 12, 2025 21:34:02.275299072 CEST	49711	80	192.168.2.4	172.64.149.23
Apr 12, 2025 21:34:02.275599003 CEST	80	49709	172.64.149.23	192.168.2.4
Apr 12, 2025 21:34:02.275753975 CEST	49709	80	192.168.2.4	172.64.149.23
Apr 12, 2025 21:34:02.276283026 CEST	80	49710	172.64.149.23	192.168.2.4
Apr 12, 2025 21:34:02.276355028 CEST	49710	80	192.168.2.4	172.64.149.23
Apr 12, 2025 21:34:06.342230082 CEST	7712	49720	45.227.252.199	192.168.2.4
Apr 12, 2025 21:34:06.342442036 CEST	49720	7712	192.168.2.4	45.227.252.199
Apr 12, 2025 21:34:21.568358898 CEST	7712	49720	45.227.252.199	192.168.2.4
Apr 12, 2025 21:34:21.568449020 CEST	49720	7712	192.168.2.4	45.227.252.199
Apr 12, 2025 21:34:36.795196056 CEST	7712	49720	45.227.252.199	192.168.2.4
Apr 12, 2025 21:34:36.795427084 CEST	49720	7712	192.168.2.4	45.227.252.199
Apr 12, 2025 21:34:52.021564007 CEST	7712	49720	45.227.252.199	192.168.2.4
Apr 12, 2025 21:34:52.021647930 CEST	49720	7712	192.168.2.4	45.227.252.199
Apr 12, 2025 21:35:05.949995995 CEST	49712	443	192.168.2.4	52.113.196.254
Apr 12, 2025 21:35:07.247880936 CEST	7712	49720	45.227.252.199	192.168.2.4
Apr 12, 2025 21:35:07.247967958 CEST	49720	7712	192.168.2.4	45.227.252.199
Apr 12, 2025 21:35:22.476641893 CEST	7712	49720	45.227.252.199	192.168.2.4
Apr 12, 2025 21:35:22.476893902 CEST	49720	7712	192.168.2.4	45.227.252.199
Apr 12, 2025 21:35:25.543706894 CEST	49728	80	192.168.2.4	172.217.215.94
Apr 12, 2025 21:35:25.650286913 CEST	80	49728	172.217.215.94	192.168.2.4
Apr 12, 2025 21:35:25.650346994 CEST	49728	80	192.168.2.4	172.217.215.94

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2025 21:33:34.921956062 CEST	60028	53	192.168.2.4	1.1.1.1
Apr 12, 2025 21:33:35.029361010 CEST	53	60028	1.1.1.1	192.168.2.4
Apr 12, 2025 21:33:35.772022009 CEST	57518	53	192.168.2.4	1.1.1.1
Apr 12, 2025 21:33:35.879754066 CEST	53	57518	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 12, 2025 21:33:34.921956062 CEST	192.168.2.4	1.1.1.1	0x90fe	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 12, 2025 21:33:35.772022009 CEST	192.168.2.4	1.1.1.1	0x6683	Standard query (0)	c.pki.goog	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 12, 2025 21:33:35.029361010 CEST	1.1.1.1	192.168.2.4	0x90fe	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Apr 12, 2025 21:33:35.029361010 CEST	1.1.1.1	192.168.2.4	0x90fe	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Apr 12, 2025 21:33:35.029361010 CEST	1.1.1.1	192.168.2.4	0x90fe	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Apr 12, 2025 21:33:35.397176981 CEST	1.1.1.1	192.168.2.4	0x65a4	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 12, 2025 21:33:35.397176981 CEST	1.1.1.1	192.168.2.4	0x65a4	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 12, 2025 21:33:35.879754066 CEST	1.1.1.1	192.168.2.4	0x6683	No error (0)	c.pki.goog	pki-goog.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 12, 2025 21:33:35.879754066 CEST	1.1.1.1	192.168.2.4	0x6683	No error (0)	pki-goog.l.google.com		172.217.215.94	A (IP address)	IN (0x0001)	false
Apr 12, 2025 21:34:36.069478035 CEST	1.1.1.1	192.168.2.4	0x5ad	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 12, 2025 21:34:36.069478035 CEST	1.1.1.1	192.168.2.4	0x5ad	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

c.pki.goog

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.4	49728	172.217.215.94	80

Timestamp	Bytes transferred	Direction	Data
Apr 12, 2025 21:33:35.988981962 CEST	202	OUT	GET /r/gsr1.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
Apr 12, 2025 21:33:36.096103907 CEST	1358	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy: same-origin; report-to="cacerts" Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]} Content-Length: 1739 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Sat, 12 Apr 2025 19:11:43 GMT Expires: Sat, 12 Apr 2025 20:01:43 GMT Cache-Control: public, max-age=3000 Age: 1313 Last-Modified: Mon, 07 Apr 2025 13:58:00 GMT Content-Type: application/pkix-crl Vary: Accept-Encoding Data Raw: 30 82 06 c7 30 82 05 af 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 57 31 0b 30 09 06 03 55 04 06 13 02 42 45 31 19 30 17 06 03 55 04 0a 13 10 47 6c 6f 62 61 6c 53 69 67 6e 20 6e 76 2d 73 61 31 10 30 0e 06 03 55 04 0b 13 07 52 6f 6f 74 20 43 41 31 1b 30 19 06 03 55 04 03 13 12 47 6c 6f 62 61 6c 53 69 67 6e 20 52 6f 6f 74 20 43 41 17 0d 32 35 30 34 30 37 30 30 30 30 30 30 5a 17 0d 32 35 30 37 31 35 30 30 30 30 30 30 5a 30 82 04 f1 30 2a 02 0b 04 00 00 00 00 01 1e 44 a5 e4 04 17 0d 31 34 31 31 32 35 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2a 02 0b 04 00 00 00 00 01 29 45 c3 a8 0f 17 0d 31 34 31 31 32 35 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2a 02 0b 04 00 00 00 00 01 20 19 c1 8d 68 17 0d 31 34 31 31 32 35 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2a 02 0b 04 00 00 00 00 01 2c 5e 7f 1a 88 17 0d 31 34 31 31 32 35 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2a 02 0b 04 00 00 00 00 01 15 4b 5a [TRUNCATED] Data Ascii: 000H0W10UBE10UGlobalSign nv-sa10URoot CA10UGlobalSign Root CA250407000000Z250715000000Z00D141125000000Z00U0)E141125000000Z00U0 h141125000000Z00U0,^141125000000Z00U0KZ160107000000Z00U0/NIR170419000000Z00U0/NG170419000000Z00U0/N9191120000000Z00U0/N=k191204000000Z00U0*/N;X191204000000Z00U0-Ga7.u200630000000Z00U0-G
Apr 12, 2025 21:33:36.096167088 CEST	1095	IN	Data Raw: 18 9d c0 41 1c 9f 3e 54 68 41 17 0d 32 30 30 36 33 30 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2d 02 0e 47 c3 10 00 c0 4b fa 8a 26 54 b7 41 ec 2b 17 0d 32 30 30 36 33 30 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 Data Ascii: A>ThA200630000000Z00U0-GK&TA+200630000000Z00U0*6::200711160000Z00U0/vSBS%V>200728000000Z00U0/vSF-Kg>)200728000000Z00U0/vSHqe]c
Apr 12, 2025 21:33:36.403522015 CEST	200	OUT	GET /r/r4.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
Apr 12, 2025 21:33:36.511707067 CEST	1243	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy: same-origin; report-to="cacerts" Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]} Content-Length: 530 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Sat, 12 Apr 2025 19:01:39 GMT Expires: Sat, 12 Apr 2025 19:51:39 GMT Cache-Control: public, max-age=3000 Age: 1917 Last-Modified: Thu, 03 Apr 2025 14:18:00 GMT Content-Type: application/pkix-crl Vary: Accept-Encoding Data Raw: 30 82 02 0e 30 82 01 93 02 01 01 30 0a 06 08 2a 86 48 ce 3d 04 03 03 30 47 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 22 30 20 06 03 55 04 0a 13 19 47 6f 6f 67 6c 65 20 54 72 75 73 74 20 53 65 72 76 69 63 65 73 20 4c 4c 43 31 14 30 12 06 03 55 04 03 13 0b 47 54 53 20 52 6f 6f 74 20 52 34 17 0d 32 35 30 34 30 33 30 38 30 30 30 30 5a 17 0d 32 36 30 32 32 38 30 37 35 39 35 39 5a 30 81 e9 30 2f 02 10 6e 47 a9 ce 4f 46 c2 3d e2 49 ea cc 38 94 53 73 17 0d 31 39 30 39 33 30 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2c 02 0d 01 f0 9c 5b 70 05 a6 dc 86 e2 f9 9e f3 17 0d 32 30 30 31 33 31 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2c 02 0d 01 fe a5 81 44 7e 3b fd 3b b8 1c 24 98 17 0d 32 33 30 36 31 33 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2c 02 0d 02 16 68 25 e1 70 04 40 61 24 91 f5 40 17 0d 32 35 30 34 30 33 30 38 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2c 02 0d 02 00 8e b2 58 e7 b5 94 0c 1f f9 00 44 17 0d 32 35 30 [TRUNCATED] Data Ascii: 000H=0G10UUS1"0 UGoogle Trust Services LLC10UGTS Root R4250403080000Z260228075959Z00/nGOF=I8Ss190930000000Z00U0,[p200131000000Z00U0,D~;;$230613000000Z00U0,h%p@a$@250403080000Z00U0,XD250403080000Z00U/0-0U0U#0LtI6>j0H=i0f1>2en:IN@g=;bQZ~`NX1?^4y[$\4{;$zDeU6O

Target ID:	0
Start time:	15:33:20
Start date:	12/04/2025
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe"
Imagebase:	0x18e400c0000
File size:	6'614'144 bytes
MD5 hash:	44269F3383C745B0656F94EBDF04BB4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1344510463.0000018E54D9E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1328830902.0000018E42421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1655849966.0000018E5B780000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:33:33
Start date:	12/04/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs"
Imagebase:	0x7ff7558e0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:33:33
Start date:	12/04/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
Imagebase:	0x800000
File size:	258'544 bytes
MD5 hash:	2EDD0B288FE2459DA84E4274D1942343
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	15:33:35
Start date:	12/04/2025
Path:	C:\Users\user\AppData\Local\Temp\overmelod.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\overmelod.exe"
Imagebase:	0x18882050000
File size:	298'710'982 bytes
MD5 hash:	55F39A32209CCB51775828EB07A3DA96
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.1371837193.0000018884671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.1416648850.0000018895C72000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:33:36
Start date:	12/04/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
Imagebase:	0x1a0f3cb0000
File size:	258'544 bytes
MD5 hash:	2EDD0B288FE2459DA84E4274D1942343
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\overmelod.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overmelod.vbs

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Version Infos

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe