Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Generic.mg.944d8991324c722f.5651

Overview

General Information

Sample Name:SecuriteInfo.com.Generic.mg.944d8991324c722f.5651 (renamed file extension from 5651 to exe)
Analysis ID:315607
MD5:944d8991324c722fc1495d8f3dda1313
SHA1:444325eba25189ed60ac8cc9de9dc21af5e267a6
SHA256:8092e8842e1f992f109e158672c97f4cf67eab62ed6f017b5f4c0378fbfda264

Most interesting Screenshot:

Detection

Ursnif
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates a DirectInput object (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 6984 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2896 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6984 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6148 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6312 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6148 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 7060 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4768 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7060 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4864 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4524 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4864 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.742632697.0000000003510000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.743506983.0000000003510000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.743723368.0000000003510000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.742984183.0000000003510000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.739298858.0000000003510000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 30 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeVirustotal: Detection: 26%Perma Link
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeReversingLabs: Detection: 25%
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeVirustotal: Detection: 26%Perma Link
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeReversingLabs: Detection: 25%
            Machine Learning detection for sampleShow sources
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeJoe Sandbox ML: detected
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeJoe Sandbox ML: detected
            Source: 0.2.SecuriteInfo.com.Generic.mg.944d8991324c722f.exe.620000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
            Source: 0.2.SecuriteInfo.com.Generic.mg.944d8991324c722f.exe.620000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
            Source: unknownDNS traffic detected: query: sandypaterson.com replaycode: Server failure (2)
            Source: unknownDNS traffic detected: query: sandypaterson.com replaycode: Server failure (2)
            Source: msapplication.xml0.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x0f856d66,0x01d6b916</date><accdate>0x0f856d66,0x01d6b916</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x0f856d66,0x01d6b916</date><accdate>0x0f856d66,0x01d6b916</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0f8a3206,0x01d6b916</date><accdate>0x0f8a3206,0x01d6b916</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0f8a3206,0x01d6b916</date><accdate>0x0f8c944e,0x01d6b916</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x0f8c944e,0x01d6b916</date><accdate>0x0f8c944e,0x01d6b916</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x0f8c944e,0x01d6b916</date><accdate>0x0f8c944e,0x01d6b916</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml0.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x0f856d66,0x01d6b916</date><accdate>0x0f856d66,0x01d6b916</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x0f856d66,0x01d6b916</date><accdate>0x0f856d66,0x01d6b916</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0f8a3206,0x01d6b916</date><accdate>0x0f8a3206,0x01d6b916</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0f8a3206,0x01d6b916</date><accdate>0x0f8c944e,0x01d6b916</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x0f8c944e,0x01d6b916</date><accdate>0x0f8c944e,0x01d6b916</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x0f8c944e,0x01d6b916</date><accdate>0x0f8c944e,0x01d6b916</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: sandypaterson.com
            Source: unknownDNS traffic detected: queries for: sandypaterson.com
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000003.742632697.0000000003510000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929853425.00000000009B4000.00000004.00000020.sdmpString found in binary or memory: http://sandypaterson.com
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929853425.00000000009B4000.00000004.00000020.sdmpString found in binary or memory: http://sandypaterson.com/7f
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929853425.00000000009B4000.00000004.00000020.sdmp, SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929943056.0000000000A16000.00000004.00000001.sdmp, ~DFD9FF48BBCE138582.TMP.25.drString found in binary or memory: http://sandypaterson.com/index.htm
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929853425.00000000009B4000.00000004.00000020.sdmpString found in binary or memory: http://sandypaterson.com/index.htmQC:
            Source: {5451DF36-2509-11EB-90EB-ECF4BBEA1588}.dat.22.drString found in binary or memory: http://sandypaterson.com/index.htmRoot
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929853425.00000000009B4000.00000004.00000020.sdmpString found in binary or memory: http://sandypaterson.com/index.htmboundary=e99d6dfcfe2946e99
            Source: {5451DF36-2509-11EB-90EB-ECF4BBEA1588}.dat.22.drString found in binary or memory: http://sandypaterson.com/index.htmom/index.htm
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000003.742632697.0000000003510000.00000004.00000040.sdmpString found in binary or memory: http://sandypaterson.comy7
            Source: msapplication.xml.11.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.11.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.11.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.11.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.11.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.11.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.11.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.11.drString found in binary or memory: http://www.youtube.com/
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000003.742632697.0000000003510000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929853425.00000000009B4000.00000004.00000020.sdmpString found in binary or memory: http://sandypaterson.com
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929853425.00000000009B4000.00000004.00000020.sdmpString found in binary or memory: http://sandypaterson.com/7f
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929853425.00000000009B4000.00000004.00000020.sdmp, SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929943056.0000000000A16000.00000004.00000001.sdmp, ~DFD9FF48BBCE138582.TMP.25.drString found in binary or memory: http://sandypaterson.com/index.htm
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929853425.00000000009B4000.00000004.00000020.sdmpString found in binary or memory: http://sandypaterson.com/index.htmQC:
            Source: {5451DF36-2509-11EB-90EB-ECF4BBEA1588}.dat.22.drString found in binary or memory: http://sandypaterson.com/index.htmRoot
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929853425.00000000009B4000.00000004.00000020.sdmpString found in binary or memory: http://sandypaterson.com/index.htmboundary=e99d6dfcfe2946e99
            Source: {5451DF36-2509-11EB-90EB-ECF4BBEA1588}.dat.22.drString found in binary or memory: http://sandypaterson.com/index.htmom/index.htm
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000003.742632697.0000000003510000.00000004.00000040.sdmpString found in binary or memory: http://sandypaterson.comy7
            Source: msapplication.xml.11.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.11.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.11.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.11.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.11.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.11.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.11.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.11.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.742632697.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743506983.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743723368.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742984183.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.739298858.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.912443289.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.930128072.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743905074.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743232137.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743351137.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743886439.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743933309.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743868415.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743687657.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.738992991.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743158160.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743818976.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.739195856.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743405174.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743456939.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743080283.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743759622.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743844628.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742197023.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742077371.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743558991.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743603999.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743292374.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743922667.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.741938504.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743791940.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742310497.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743646787.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742521950.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe PID: 6836, type: MEMORY
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929838986.00000000009AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929838986.00000000009AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.742632697.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743506983.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743723368.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742984183.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.739298858.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.912443289.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.930128072.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743905074.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743232137.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743351137.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743886439.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743933309.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743868415.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743687657.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.738992991.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743158160.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743818976.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.739195856.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743405174.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743456939.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743080283.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743759622.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743844628.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742197023.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742077371.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743558991.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743603999.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743292374.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743922667.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.741938504.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743791940.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742310497.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743646787.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742521950.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe PID: 6836, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000000.662593623.0000000000674000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamepath.exeZ vs SecuriteInfo.com.Generic.mg.944d8991324c722f.exe
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929776158.0000000000820000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs SecuriteInfo.com.Generic.mg.944d8991324c722f.exe
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeBinary or memory string: OriginalFilenamepath.exeZ vs SecuriteInfo.com.Generic.mg.944d8991324c722f.exe
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000000.662593623.0000000000674000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamepath.exeZ vs SecuriteInfo.com.Generic.mg.944d8991324c722f.exe
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929776158.0000000000820000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs SecuriteInfo.com.Generic.mg.944d8991324c722f.exe
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeBinary or memory string: OriginalFilenamepath.exeZ vs SecuriteInfo.com.Generic.mg.944d8991324c722f.exe
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal84.troj.evad.winEXE@13/49@16/1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{387B8FCB-2509-11EB-90EB-ECF4BBEA1588}.datJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{387B8FCB-2509-11EB-90EB-ECF4BBEA1588}.datJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeMutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeMutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF4EE9215B608B6733.TMPJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF4EE9215B608B6733.TMPJump to behavior
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeVirustotal: Detection: 26%
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeReversingLabs: Detection: 25%
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeVirustotal: Detection: 26%
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeReversingLabs: Detection: 25%
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exe'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6984 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6148 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7060 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4864 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6984 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6148 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7060 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4864 CREDAT:17410 /prefetch:2Jump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exe'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6984 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6148 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7060 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4864 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6984 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6148 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7060 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4864 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\HundredLand\Populateart\milkBuycommon.pdb source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe
            Source: Binary string: c:\HundredLand\Populateart\milkBuycommon.pdb source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeUnpacked PE file: 0.2.SecuriteInfo.com.Generic.mg.944d8991324c722f.exe.620000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeUnpacked PE file: 0.2.SecuriteInfo.com.Generic.mg.944d8991324c722f.exe.620000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeUnpacked PE file: 0.2.SecuriteInfo.com.Generic.mg.944d8991324c722f.exe.620000.0.unpack
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeUnpacked PE file: 0.2.SecuriteInfo.com.Generic.mg.944d8991324c722f.exe.620000.0.unpack
            Source: initial sampleStatic PE information: section name: .text entropy: 7.01863250994
            Source: initial sampleStatic PE information: section name: .text entropy: 7.01863250994

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.742632697.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743506983.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743723368.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742984183.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.739298858.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.912443289.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.930128072.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743905074.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743232137.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743351137.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743886439.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743933309.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743868415.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743687657.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.738992991.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743158160.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743818976.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.739195856.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743405174.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743456939.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743080283.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743759622.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743844628.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742197023.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742077371.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743558991.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743603999.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743292374.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743922667.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.741938504.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743791940.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742310497.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743646787.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742521950.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe PID: 6836, type: MEMORY
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exe TID: 3136Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exe TID: 3136Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeLast function: Thread delayed
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929853425.00000000009B4000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.929853425.00000000009B4000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.930020139.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.930020139.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.930020139.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.930020139.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.930020139.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.930020139.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.930020139.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe, 00000000.00000002.930020139.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.944d8991324c722f.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.742632697.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743506983.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743723368.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742984183.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.739298858.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.912443289.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.930128072.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743905074.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743232137.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743351137.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743886439.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743933309.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743868415.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743687657.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.738992991.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743158160.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743818976.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.739195856.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743405174.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743456939.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743080283.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743759622.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743844628.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742197023.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742077371.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743558991.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743603999.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743292374.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743922667.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.741938504.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743791940.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742310497.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743646787.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742521950.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe PID: 6836, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.742632697.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743506983.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743723368.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742984183.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.739298858.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.912443289.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.930128072.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743905074.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743232137.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743351137.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743886439.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743933309.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743868415.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743687657.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.738992991.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743158160.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743818976.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.739195856.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743405174.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743456939.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743080283.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743759622.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743844628.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742197023.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742077371.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743558991.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743603999.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743292374.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743922667.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.741938504.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743791940.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742310497.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.743646787.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.742521950.0000000003510000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Generic.mg.944d8991324c722f.exe PID: 6836, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection2Masquerading1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing23LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet