Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe
Analysis ID:356835
MD5:bb663ffdda23f4277af1d261ac43a88e
SHA1:8f4e7653ba71af974226415ed512f44a6168abcc
SHA256:145539dcc07505d1a41913332a55d78398f93c35d7332346e6a58c2006a79714
Infos:

Most interesting Screenshot:

Detection

Raccoon
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Raccoon Stealer
Contains functionality to steal Internet Explorer form passwords
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe PID: 488JoeSecurity_RaccoonYara detected Raccoon StealerJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for domain / URLShow sources
    Source: yearofthepig.topVirustotal: Detection: 7%Perma Link
    Source: telete.inVirustotal: Detection: 8%Perma Link
    Multi AV Scanner detection for submitted fileShow sources
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeVirustotal: Detection: 74%Perma Link
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeMetadefender: Detection: 29%Perma Link
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeReversingLabs: Detection: 89%
    Yara detected Raccoon StealerShow sources
    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe PID: 488, type: MEMORY
    Machine Learning detection for sampleShow sources
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeJoe Sandbox ML: detected
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0040A1F6 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey,0_2_0040A1F6
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004245C3 CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,0_2_004245C3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00424796 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,0_2_00424796
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0040A7BA GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,0_2_0040A7BA
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0040C9A1 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,0_2_0040C9A1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0040AEC3 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,0_2_0040AEC3

    Compliance:

    barindex
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeUnpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe.400000.0.unpack
    Uses 32bit PE filesShow sources
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
    Uses new MSVCR DllsShow sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Uses secure TLS version for HTTPS connectionsShow sources
    Source: unknownHTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.5:49697 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.199.58:443 -> 192.168.2.5:49699 version: TLS 1.2
    Binary contains paths to debug symbolsShow sources
    Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000004.00000003.245687051.0000000005232000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: ktmw32.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.245687051.0000000005232000.00000004.00000040.sdmp
    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.245687051.0000000005232000.00000004.00000040.sdmp
    Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.245687051.0000000005232000.00000004.00000040.sdmp
    Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: winnsi.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.245687051.0000000005232000.00000004.00000040.sdmp
    Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: mskeyprotect.pdb_ source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: schannel.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: rasadhlp.pdb|? source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: shcore.pdbb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: wmswsock.pdbJ source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: userenv.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.245750481.0000000005230000.00000004.00000040.sdmp
    Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: wUxTheme.pdbP source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: winhttp.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: ktmw32.pdbV source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: shlwapi.pdbn source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.245687051.0000000005232000.00000004.00000040.sdmp
    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: webio.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: powrprof.pdbt source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: shell32.pdb\ source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000004.00000003.245687051.0000000005232000.00000004.00000040.sdmp
    Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: webio.pdbD source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.245750481.0000000005230000.00000004.00000040.sdmp
    Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.245750481.0000000005230000.00000004.00000040.sdmp
    Source: Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.245687051.0000000005232000.00000004.00000040.sdmp
    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.245750481.0000000005230000.00000004.00000040.sdmp
    Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.245750481.0000000005230000.00000004.00000040.sdmp
    Source: Binary string: ws2_32.pdb> source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: dpapi.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: dnsapi.pdbj? source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: combase.pdbh source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: fltLib.pdbz source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0043E217 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,0_2_0043E217
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0043E387 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,0_2_0043E387
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00434FF1 GetLogicalDriveStringsA,0_2_00434FF1
    Source: Joe Sandbox ViewIP Address: 195.201.225.248 195.201.225.248
    Source: Joe Sandbox ViewIP Address: 172.67.199.58 172.67.199.58
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
    Source: unknownDNS traffic detected: queries for: telete.in
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.260697668.0000000002512000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261006956.000000000254F000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.260697668.0000000002512000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.260697668.0000000002512000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.260697668.0000000002512000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261006956.000000000254F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261006956.000000000254F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261006956.000000000254F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261006956.000000000254F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261006956.000000000254F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.260697668.0000000002512000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0Y
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.260697668.0000000002512000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261006956.000000000254F000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261006956.000000000254F000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261006956.000000000254F000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261006956.000000000254F000.00000004.00000001.sdmpString found in binary or memory: https://telete.in/jojmalbec
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.260838180.0000000002520000.00000004.00000001.sdmpString found in binary or memory: https://telete.in/jojmalbecW
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261006956.000000000254F000.00000004.00000001.sdmpString found in binary or memory: https://telete.in/org/img/t_logo.png
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261006956.000000000254F000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261006956.000000000254F000.00000004.00000001.sdmpString found in binary or memory: https://yearofthepig.top/
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261006956.000000000254F000.00000004.00000001.sdmpString found in binary or memory: https://yearofthepig.top/A=
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261006956.000000000254F000.00000004.00000001.sdmpString found in binary or memory: https://yearofthepig.top/error.php
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261006956.000000000254F000.00000004.00000001.sdmpString found in binary or memory: https://yearofthepig.top/x
    Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
    Source: unknownHTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.5:49697 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.199.58:443 -> 192.168.2.5:49699 version: TLS 1.2
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004266C0 GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown,0_2_004266C0

    E-Banking Fraud:

    barindex
    Yara detected Raccoon StealerShow sources
    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe PID: 488, type: MEMORY
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0042693B0_2_0042693B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00414B7F0_2_00414B7F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0045A2490_2_0045A249
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0044824A0_2_0044824A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0044A2100_2_0044A210
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0045A3690_2_0045A369
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0041A4E60_2_0041A4E6
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004644EB0_2_004644EB
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004144A80_2_004144A8
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0042865E0_2_0042865E
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004187C00_2_004187C0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0040A7BA0_2_0040A7BA
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0042495F0_2_0042495F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004129300_2_00412930
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0043C9900_2_0043C990
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0040C9A10_2_0040C9A1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00436ACF0_2_00436ACF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00442BF00_2_00442BF0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0045CD9E0_2_0045CD9E
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0040AEC30_2_0040AEC3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0041AE8D0_2_0041AE8D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004190030_2_00419003
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: String function: 004102CD appears 56 times
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: String function: 0044EE89 appears 50 times
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: String function: 00440070 appears 32 times
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: String function: 0043FC0D appears 56 times
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: String function: 004677E0 appears 94 times
    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 728
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261979576.0000000004020000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261967442.0000000004010000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.261922673.0000000004000000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: classification engineClassification label: mal88.troj.spyw.evad.winEXE@2/4@2/2
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00438121 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,GetModuleFileNameA,_strlen,_mbstowcs,CreateProcessWithTokenW,CloseHandle,Process32NextW,0_2_00438121
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0043483A CoCreateInstance,0_2_0043483A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeMutant created: \Sessions\1\BaseNamedObjects\uiabfqwfuuser
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess488
    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6833.tmpJump to behavior
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeVirustotal: Detection: 74%
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeMetadefender: Detection: 29%
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeReversingLabs: Detection: 89%
    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe'
    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 728
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000004.00000003.245687051.0000000005232000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: ktmw32.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.245687051.0000000005232000.00000004.00000040.sdmp
    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.245687051.0000000005232000.00000004.00000040.sdmp
    Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.245687051.0000000005232000.00000004.00000040.sdmp
    Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: winnsi.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.245687051.0000000005232000.00000004.00000040.sdmp
    Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: mskeyprotect.pdb_ source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: schannel.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: rasadhlp.pdb|? source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: shcore.pdbb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: wmswsock.pdbJ source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: userenv.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.245750481.0000000005230000.00000004.00000040.sdmp
    Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: wUxTheme.pdbP source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: winhttp.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: ktmw32.pdbV source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: shlwapi.pdbn source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.245687051.0000000005232000.00000004.00000040.sdmp
    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: webio.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: powrprof.pdbt source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: shell32.pdb\ source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000004.00000003.245687051.0000000005232000.00000004.00000040.sdmp
    Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: webio.pdbD source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.245750481.0000000005230000.00000004.00000040.sdmp
    Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.245750481.0000000005230000.00000004.00000040.sdmp
    Source: Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.245687051.0000000005232000.00000004.00000040.sdmp
    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.245750481.0000000005230000.00000004.00000040.sdmp
    Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.245750481.0000000005230000.00000004.00000040.sdmp
    Source: Binary string: ws2_32.pdb> source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: dpapi.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.245714031.0000000005091000.00000004.00000001.sdmp
    Source: Binary string: dnsapi.pdbj? source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: combase.pdbh source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: fltLib.pdbz source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp
    Source: Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.245759878.0000000005239000.00000004.00000040.sdmp

    Data Obfuscation:

    barindex
    Detected unpacking (changes PE section rights)Show sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeUnpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeUnpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe.400000.0.unpack
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0042495F GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,0_2_0042495F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004400B4 push ecx; ret 0_2_004400C6
    Source: initial sampleStatic PE information: section name: .text entropy: 7.76039382624
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0041AE8D SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041AE8D
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe TID: 2336Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0043E217 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,0_2_0043E217
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0043E387 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,0_2_0043E387
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00434FF1 GetLogicalDriveStringsA,0_2_00434FF1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00436ACF _strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,0_2_00436ACF
    Source: WerFault.exe, 00000004.00000002.257640769.0000000004E90000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.260838180.0000000002520000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW\
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.260882651.000000000252F000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000002.257609596.0000000004CAF000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: WerFault.exe, 00000004.00000002.257640769.0000000004E90000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: WerFault.exe, 00000004.00000002.257640769.0000000004E90000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: WerFault.exe, 00000004.00000002.257640769.0000000004E90000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0045C2E6 IsDebuggerPresent,OutputDebugStringW,0_2_0045C2E6
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0042495F GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,0_2_0042495F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00446991 mov eax, dword ptr fs:[00000030h]0_2_00446991
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0040A3FB GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_0040A3FB
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004402A4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004402A4
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004463B5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004463B5
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00440406 SetUnhandledExceptionFilter,0_2_00440406
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004405C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004405C8
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004400C8 cpuid 0_2_004400C8
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,GetUserNameA,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize,0_2_0042693B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00462121
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: EnumSystemLocalesW,0_2_00458367
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: EnumSystemLocalesW,0_2_004623C3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: EnumSystemLocalesW,0_2_0046240E
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: EnumSystemLocalesW,0_2_004624A9
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00462534
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: GetLocaleInfoW,0_2_00462787
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004628AD
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: GetLocaleInfoW,0_2_00458994
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: GetLocaleInfoW,0_2_004629B3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: _strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,0_2_00436ACF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00462A82
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00440470 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00440470
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0042693B CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,GetUserNameA,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize,0_2_0042693B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004364C1 GetTimeZoneInformation,std::ios_base::_Ios_base_dtor,0_2_004364C1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0042495F GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,0_2_0042495F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior