Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe
Analysis ID:	800798
MD5:	97011b19f2683a918f1f07f7f4ec1998
SHA1:	4b486d0b67994fabe961787f5facdf9a0e3f6672
SHA256:	c1469167b9700aeca987573c023ec7f160dadf8309a7a4feb2cd1969ad66673e
Tags:	exe
Infos:

Detection

Score:	32
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for dropped file

Machine Learning detection for sample

Machine Learning detection for dropped file

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Stores files to the Windows start menu directory

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Drops PE files

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.

Sample searches for specific file, try point organization specific fake files to the analysis machine

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe (PID: 3500 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe MD5: 97011B19F2683A918F1F07F7F4EC1998)

ModSource UI Addon Pack.exe (PID: 5900 cmdline: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe MD5: DC0AEE7C1898F76B9D61CE023B91539C)

chrome.exe (PID: 3248 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\Readme ModSource UI Addon Pack.html MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

chrome.exe (PID: 5844 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1800,i,4957897538365028636,534134650291675046,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

cleanup

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 07 Feb 2023 18:59:16 GMTServer: ApacheX-Frame-Options: SAMEORIGINLast-Modified: Sun, 16 Aug 2009 06:01:33 GMTETag: "57074349-111d8d-4713c046be940"Accept-Ranges: bytesContent-Length: 1121677Connection: closeContent-Type: application/zipData Raw: 50 4b 03 04 14 00 02 00 08 00 7b 9d 0f 3b 51 b7 76 de f5 1c 11 00 87 83 11 00 1b 00 00 00 4d 6f 64 53 6f 75 72 63 65 20 55 49 20 41 64 64 6f 6e 20 50 61 63 6b 2e 65 78 65 ec fd 07 5c 53 49 d7 38 8e df 90 00 91 62 50 41 51 51 51 b1 62 dd d8 10 0b 28 c1 8a a0 48 62 c1 82 14 43 44 40 48 04 0b 02 06 04 8c 88 5d b1 2b b2 36 ec 0d 3b 58 00 15 15 1b d6 55 2c ab 17 51 17 57 4a a8 e7 7f 66 6e 50 77 d7 7d 9e e7 7d df e7 fb 7e bf bf ff e7 89 1e ee dc a9 67 ce 9c 39 65 66 ee bd 2e 93 56 30 7c 86 61 04 08 00 0c 93 ce 70 3f 07 e6 9f ff f2 10 ea b7 3a 53 9f 39 5e ef 66 eb 74 de e8 9b ad c7 cb fd 43 ad 83 43 82 66 86 78 cd b6 f6 f6 0a 0c 0c 52 5a cf f0 b5 0e 51 05 5a fb 07 5a 3b b9 ba 5b cf 0e f2 f1 ed 66 6a 6a 64 a3 ab e3 57 d5 c8 3d 3b cc 6d aa ea a0 bb d5 82 aa 14 1a 6e 57 d5 1f af 6d ac e6 55 1d c6 6b 69 5f f3 aa 3d 78 f5 6b d8 a6 6a 3b 5e c7 f9 7b cb 49 fe 3f e3 e4 26 61 98 d1 3c 7d a6 fb c5 4f c3 ea e2 0a 18 11 cf 98 67 c0 30 93 f0 e6 3e 8f 76 b6 dd 4f 18 36 43 08 d6 f5 96 84 f5 38 3a 30 cc b7 2b e3 26 f8 7a a3 47 ff 9a 71 79 bf 5e bf 5e e8 6f 57 28 c3 1c a7 c4 e1 33 2b c2 98 7f df 0f f1 5c a6 f7 f7 c9 dd 94 be e1 4a bc f6 9a a8 43 68 d2 f7 9d e0 7e d6 0c 33 bd 5b 88 8f 97 d2 8b 61 56 34 d0 f5 bd 21 c2 d4 3f e6 43 6a 38 74 e3 b2 31 1b 0e 21 bd 56 e8 ea 0a fe 4b be 8c 6e 81 ba 8c 2b 30 9f c3 8f 11 8c 22 f9 42 42 43 bc 49 b6 30 8e 36 4c 38 5e 95 7f 6d 97 f9 cf ef 7f f5 e7 a1 f9 a0 fe e0 a9 8e 30 11 29 6d f1 af b3 46 62 ae 32 55 0f b7 34 d3 98 ee 19 34 84 49 18 2e 70 03 95 19 a8 4c 40 25 04 8b e1 21 0e 4c e1 10 1c 69 77 a9 a6 f7 61 4c 4f 94 ec 92 b9 d1 a4 d1 98 a4 f6 2d 61 12 24 26 89 92 37 5c 9c 1b c6 69 22 8a d5 be c5 8c a6 85 53 30 96 45 56 60 44 27 9d c7 89 4e 4a a5 a2 43 1e ac e6 b6 ad 0b 2b 3a 94 c9 bf 94 e0 62 96 5c 0e e2 bb 4b 8b 31 7d 2c 46 89 4e 8e f1 10 1d 72 61 f9 99 9a eb 98 82 25 c6 93 12 4b 73 30 dd 4d 74 48 62 c6 bf 84 d1 99 2f 85 a2 93 19 c6 39 89 92 12 b7 04 17 2d a2 88 cd a8 25 c5 82 04 89 b9 1b 87 88 09 58 8c 47 44 40 65 0e f7 d4 12 56 60 17 c1 8a 96 85 01 80 7a d1 04 50 fa c2 dc 5e 88 3d 96 8a cd c0 32 4a 0f 4d 84 89 82 27 cb 96 bc 21 b3 28 5b c2 0a 89 64 b4 70 c3 0c 30 77 82 0c eb 0a a6 75 69 7a 4f c0 80 0c f2 b9 0e cb ad 31 9f 9b 02 e4 db fb 0c c1 58 8b 09 b4 45 13 4c a7 ed 22 9d 38 92 78 62 fc b4 a9 e2 8c c9 d7 2e 99 31 9a d1 36 82 1d 39 48 46 cd 1d 77 ff bb 96 38 c5 a4 32 cd 78 3d 61 d9 25 3d a5 6b e2 1c 9e 18 ec 7b e7 62 72 e8 10 cd 2d ff 6b 24 3d d1 89 27 d4 08 cb 32 f5 94 fc 61 45 2d cb 32 05 ca 7a 9a db ae b1 d7 94 d6 45 66 65 99 66 2a 63 cd 63 f1 13 f5 6b 9e f8 71 82 a5 b3 3e 29 c1 d5 10 72 7d da d4 c9 97 04 64 b8 c7 8e d5 78 08 71 fc 7e f7 2f 23 e9 9a 16 04 01 f1 35 fe 17 59 82 4b 35 92 50 e3 2c dc a3 a7 34 b6 73 31 51 1a d8 5c 18 92 e0 2c b4

Source: ModSource UI Addon Pack.exe, 00000001.00000002.422163287.0000000002BD2000.00000004.00000020.00020000.00000000.sdmp, nsa449D.tmp.1.dr	String found in binary or memory: http://modsource.org
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000002.346975161.00000000028F0000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.422163287.00000000026DC000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.421708783.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nsa449D.tmp.1.dr	String found in binary or memory: http://modsource.org/Files/SWG/Mods/ModSource_UI_Addon_Pack.ver
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000002.346975161.00000000028F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://modsource.org/Files/SWG/Mods/ModSource_UI_Addon_Pack.ver/TIMEOUT=30000download
Source: ModSource UI Addon Pack.exe, 00000001.00000002.422163287.00000000026DC000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.421708783.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nsa449D.tmp.1.dr	String found in binary or memory: http://modsource.org/Files/SWG/Mods/ModSource_UI_Addon_Pack.ver/TIMEOUT=30000downloadhttp://users.on
Source: nsa449D.tmp.1.dr	String found in binary or memory: http://modsource.org/Files/SWG/Mods/ModSource_UI_Addon_Pack.zip
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000002.346975161.00000000028F0000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.422163287.00000000026DC000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.421708783.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nsa449D.tmp.1.dr	String found in binary or memory: http://modsource.org/Files/SWG/Mods/ModSource_UI_Addon_Pack.ziphttp://users.on.net/~anach/Files/SWG/
Source: ModSource UI Addon Pack.exe, ModSource UI Addon Pack.exe, 00000001.00000000.345573605.0000000000409000.00000008.00000001.01000000.00000007.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.422163287.0000000002BD2000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.421438450.0000000000409000.00000004.00000001.01000000.00000007.sdmp, ModSource UI Addon Pack.exe, 00000001.00000003.410469484.0000000000792000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, Uninstall the ModSource UI Addon Pack.exe.1.dr, ModSource UI Addon Pack.exe.0.dr, nsa449D.tmp.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, Uninstall the ModSource UI Addon Pack.exe.1.dr, ModSource UI Addon Pack.exe.0.dr, nsa449D.tmp.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ModSource UI Addon Pack.exe, 00000001.00000002.422163287.0000000002BD2000.00000004.00000020.00020000.00000000.sdmp, nsa449D.tmp.1.dr	String found in binary or memory: http://tassyp2p.optikal.net/viewtopic.php?f=45&t=837
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000002.346975161.00000000028F0000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.422163287.00000000026DC000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.421708783.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nsa449D.tmp.1.dr	String found in binary or memory: http://unguilded.traumschmiede.com/Files/Mods/ModSource_UI_Addon_Pack.ver
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000002.346975161.00000000028F0000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.422163287.00000000026DC000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.421708783.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nsa449D.tmp.1.dr	String found in binary or memory: http://unguilded.traumschmiede.com/Files/Mods/ModSource_UI_Addon_Pack.zip
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000002.346975161.00000000028F0000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.422163287.00000000026DC000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.421708783.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nsa449D.tmp.1.dr	String found in binary or memory: http://users.on.net/~anach/Files/SWG/ModSource_UI_Addon_Pack.ver
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000002.346975161.00000000028F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://users.on.net/~anach/Files/SWG/ModSource_UI_Addon_Pack.verhttp://unguilded.traumschmiede.com/F
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000002.346975161.00000000028F0000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.422163287.00000000026DC000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.421708783.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nsa449D.tmp.1.dr	String found in binary or memory: http://users.on.net/~anach/Files/SWG/ModSource_UI_Addon_Pack.zip
Source: nsa449D.tmp.1.dr	String found in binary or memory: http://www.modsource.org
Source: ModSource UI Addon Pack.exe, 00000001.00000002.421708783.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.modsource.org/
Source: Mod-Source - Your Source for SWG Modding Stuff.lnk.1.dr	String found in binary or memory: http://www.modsource.org/DC:
Source: ModSource UI Addon Pack.exe, 00000001.00000002.422163287.00000000026DC000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.421708783.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nsa449D.tmp.1.dr	String found in binary or memory: http://www.modsource.orgopen
Source: ModSource UI Addon Pack.exe, 00000001.00000002.421708783.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.modsource.orgw8
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332799089.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bplaced.net/
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332433511.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332819641.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bplaced.net/apple-touch-icon.png
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332365541.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332799089.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bplaced.net/contact
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332365541.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332799089.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bplaced.net/datenschutz
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332433511.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332819641.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bplaced.net/favicon-16x16.png
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332433511.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332819641.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bplaced.net/favicon-32x32.png
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332433511.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332819641.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bplaced.net/favicon.ico
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332799089.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bplaced.net/gfx/emblem_b_xs.png
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332365541.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332799089.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bplaced.net/impressum
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332365541.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332799089.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bplaced.net/privacy
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332433511.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332819641.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bplaced.net/safari-pinned-tab.svg

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8

Source: unknown

DNS traffic detected: queries for: modsource.org

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: global traffic	HTTP traffic detected: GET /Files/SWG/Mods/ModSource_UI_Addon_Pack.ver HTTP/1.0Host: modsource.orgUser-Agent: NSISDL/1.2 (Mozilla)Accept: /
Source: global traffic	HTTP traffic detected: GET /Files/SWG/Mods/ModSource_UI_Addon_Pack.ver HTTP/1.0Host: modsource.orgUser-Agent: NSISDL/1.2 (Mozilla)Accept: /
Source: global traffic	HTTP traffic detected: GET /~anach/Files/SWG/ModSource_UI_Addon_Pack.ver HTTP/1.0Host: users.on.netUser-Agent: NSISDL/1.2 (Mozilla)Accept: /
Source: global traffic	HTTP traffic detected: GET /Files/SWG/Mods/ModSource_UI_Addon_Pack.zip HTTP/1.0Host: modsource.orgUser-Agent: NSISDL/1.2 (Mozilla)Accept: /
Source: global traffic	HTTP traffic detected: GET /Files/SWG/Mods/ModSource_UI_Addon_Pack.zip HTTP/1.0Host: modsource.orgUser-Agent: NSISDL/1.2 (Mozilla)Accept: /
Source: global traffic	HTTP traffic detected: GET /~anach/Files/SWG/ModSource_UI_Addon_Pack.zip HTTP/1.0Host: users.on.netUser-Agent: NSISDL/1.2 (Mozilla)Accept: /

Source: ModSource UI Addon Pack.exe, 00000001.00000002.421708783.00000000006BA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe

Code function: 0_2_00404F1F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	Code function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Code function: 1_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	Code function: 0_2_0040600A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	Code function: 0_2_00404730
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Code function: 1_2_00404730
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Code function: 1_2_0040600A

Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	ReversingLabs: Detection: 17%
Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	Virustotal: Detection: 19%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe

Jump to behavior

Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	Process created: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\Readme ModSource UI Addon Pack.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1800,i,4957897538365028636,534134650291675046,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	Process created: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\Readme ModSource UI Addon Pack.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1800,i,4957897538365028636,534134650291675046,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: ModSource UI Addon Pack Silent Updater.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater\ModSource UI Addon Pack Auto Updater Silent.exe
Source: Uninstall the ModSource UI Addon Pack.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Uninstall the ModSource UI Addon Pack.exe
Source: ModSource UI Addon Pack Updater.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater\ModSource UI Addon Pack Auto Updater.exe
Source: Readme ModSource UI Addon Pack.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\Readme ModSource UI Addon Pack.html
Source: Pre-NGE UI Changelog.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Changelog_PreNGE_UI.txt

Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModSource UI Addon Pack Silent Updater.lnk

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe

File created: C:\Users\user\AppData\Local\Temp\nsb13F7.tmp

Jump to behavior

Source: classification engine

Classification label: sus32.winEXE@29/101@12/8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe

Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe

Code function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe

File created: C:\Program Files\StarWarsGalaxies

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Automated click: Next >

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\ModSource UI Addon Pack Uninstall.log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Backup	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Backup\Ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_ground_hud.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_ground_hud_chat_window_skinned.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_ground_hud_mfd_status_skinned.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_ground_hud_all_targets.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_ground_hud_targets_skinned.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_ground_hud_secondary_targets_skinned.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_ground_hud_pet.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_ground_hud_sml_group_window.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_ground_hud_radar_skinned.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_pda_location_display.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_pda_exp_mon_skinned.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_pda_collections.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_ground_hud_buttonbar_skinned.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_hud_space.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_hud_space_buttonbar.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_ground_hud_toolbar_skinned.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_hud_space_toolbar.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_styles.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_palette_ground.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_palette_space.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Ui\ui_pda_net_status.inc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Backup\Texture	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\heavyweapons_reticule.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\reticle_readme.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_activate.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_attack.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_big.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_crafting.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_deactivate.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_death_blow.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_default.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_drag_bad.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_drag_scroll.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_drop.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_eat.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_equip.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_hourglass.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_intended_attack.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_mission_details.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_move.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_open.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_pickup.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_resize_hor.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_resize_se.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_resize_sw.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_resize_vert.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_stop_talk.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_talk.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_throw.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_trade_accepted.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_trade_start.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_unequip.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_cursor_use.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_target_inactive.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Texture\ui_background_arrow.dds	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\readme_BattleBackground.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Backup\Sample	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample\ui_incoming_mail.wav	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample\item_fusioncutter_end.wav	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample\ui_toggle_mouse_mode.wav	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample\ui_use_toolbar.wav	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample\ui_select_popup.wav	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample\ui_button_arrow_back.wav	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample\ui_button_arrow_forward.wav	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample\ui_button_confirm.wav	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample\ui_dialog_warning.wav	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample\ui_increment_big.wav	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample\ui_menu_close.wav	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample\ui_rollover.wav	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample\ui_select_info.wav	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample\ui_select_rotate.wav	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample\item_open_metal_can_cntner.wav	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample\item_close_metal_can_cntner.wav	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Sample\ui_negative.wav	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater\ModSource UI Addon Pack Auto Updater Silent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\Readme ModSource UI Addon Pack.html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\Changelog_PreNGE_UI.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\Readme_Anachs_PreNGE_UI.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater\ModSource UI Addon Pack Auto Updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Icons	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Icons\Readme.ico	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Icons\Web.ico	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Icons\Update.ico	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Icons\Uninstall.ico	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Directory created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Uninstall the ModSource UI Addon Pack.exe	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\GoogleUpdater	Jump to behavior

Source:

Binary string: q.pdB source: ModSource UI Addon Pack.exe.0.dr, ModSource UI Addon Pack.zip.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe

Code function: 0_2_00405D61 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater\ModSource UI Addon Pack Auto Updater Silent.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File created: C:\Users\user\AppData\Local\Temp\nsk44DC.tmp\StartMenu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File created: C:\Users\user\AppData\Local\Temp\nsk44DC.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	File created: C:\Users\user\AppData\Local\Temp\nsb13F9.tmp\ZipDLL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File created: C:\Users\user\AppData\Local\Temp\nsk44DC.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	File created: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	File created: C:\Users\user\AppData\Local\Temp\nsb13F9.tmp\NSISdl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater\ModSource UI Addon Pack Auto Updater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Uninstall the ModSource UI Addon Pack.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File created: C:\Users\user\AppData\Local\Temp\nsk44DC.tmp\NSISdl.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\reticle_readme.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\readme_BattleBackground.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File created: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\Readme_Anachs_PreNGE_UI.txt	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe

File created: C:\Program Files\StarWarsGalaxies\ModSource UI Addon Pack Uninstall.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModSource UI Addon Pack Silent Updater.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ModSource UI Addon Pack	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ModSource UI Addon Pack\Uninstall the ModSource UI Addon Pack.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ModSource UI Addon Pack\ModSource UI Addon Pack Updater.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ModSource UI Addon Pack\Readme ModSource UI Addon Pack.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ModSource UI Addon Pack\Mod-Source - Your Source for SWG Modding Stuff.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ModSource UI Addon Pack\Pre-NGE UI Changelog.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModSource UI Addon Pack Silent Updater.lnk

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Dropped PE file which has not been started: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater\ModSource UI Addon Pack Auto Updater Silent.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Dropped PE file which has not been started: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Uninstall the ModSource UI Addon Pack.exe			Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	Code function: 0_2_00405368 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	Code function: 0_2_00405D3A FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	Code function: 0_2_00402630 FindFirstFileA,
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Code function: 1_2_00405368 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Code function: 1_2_00405D3A FindFirstFileA,FindClose,
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Code function: 1_2_00402630 FindFirstFileA,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Source: SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332433511.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.344668347.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332819641.00000000006ED000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe

Code function: 0_2_00405D61 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\Readme ModSource UI Addon Pack.html

Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe

Code function: 0_2_00405A65 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	2 Registry Run Keys / Startup Folder	11 Process Injection	3 Masquerading	1 Input Capture	11 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Registry Run Keys / Startup Folder	11 Process Injection	LSASS Memory	1 Remote System Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	5 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	14 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	6 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	18%	ReversingLabs
SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	19%	Virustotal	Browse
SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater\ModSource UI Addon Pack Auto Updater.exe	100%	Joe Sandbox ML
C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater\ModSource UI Addon Pack Auto Updater Silent.exe	100%	Joe Sandbox ML
C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Uninstall the ModSource UI Addon Pack.exe	5%	ReversingLabs
C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater\ModSource UI Addon Pack Auto Updater Silent.exe	23%	ReversingLabs
C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater\ModSource UI Addon Pack Auto Updater.exe	18%	ReversingLabs
C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	14%	ReversingLabs	Win32.Dropper.Scrop
C:\Users\user\AppData\Local\Temp\nsb13F9.tmp\NSISdl.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsb13F9.tmp\ZipDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsk44DC.tmp\NSISdl.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsk44DC.tmp\StartMenu.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsk44DC.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsk44DC.tmp\nsDialogs.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.ModSource UI Addon Pack.exe.2c18226.6.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File
1.2.ModSource UI Addon Pack.exe.2bed809.4.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
modsource.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://modsource.org	0%	Virustotal		Browse
http://modsource.org	0%	Avira URL Cloud	safe
http://modsource.org/Files/SWG/Mods/ModSource_UI_Addon_Pack.ver/TIMEOUT=30000downloadhttp://users.on	0%	Avira URL Cloud	safe
http://tassyp2p.optikal.net/viewtopic.php?f=45&t=837	0%	Avira URL Cloud	safe
http://www.modsource.org/DC:	0%	Avira URL Cloud	safe
http://modsource.org/Files/SWG/Mods/ModSource_UI_Addon_Pack.ver	0%	Avira URL Cloud	safe
http://modsource.org/Files/SWG/Mods/ModSource_UI_Addon_Pack.zip	0%	Avira URL Cloud	safe
http://www.modsource.orgw8	0%	Avira URL Cloud	safe
http://unguilded.traumschmiede.com/Files/Mods/ModSource_UI_Addon_Pack.ver	0%	Avira URL Cloud	safe
http://unguilded.traumschmiede.com/Files/Mods/ModSource_UI_Addon_Pack.zip	0%	Avira URL Cloud	safe
http://modsource.org/Files/SWG/Mods/ModSource_UI_Addon_Pack.ver/TIMEOUT=30000download	0%	Avira URL Cloud	safe
http://www.modsource.org/	0%	Avira URL Cloud	safe
http://www.modsource.orgopen	0%	Avira URL Cloud	safe
http://modsource.org/Files/SWG/Mods/ModSource_UI_Addon_Pack.ziphttp://users.on.net/~anach/Files/SWG/	0%	Avira URL Cloud	safe
http://www.modsource.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
users.on.net	203.16.214.120	true	false		high
accounts.google.com	216.58.209.45	true	false		high
modsource.org	162.55.0.134	true	false	0%, Virustotal, Browse	unknown
www.google.com	142.250.180.132	true	false		high
clients.l.google.com	142.250.180.174	true	false		high
clients2.google.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Program%20Files/StarWarsGalaxies/Mods/ModSource%20UI%20Addon%20Pack/Documentation/Readme%20ModSource%20UI%20Addon%20Pack.html	false		low
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
http://users.on.net/~anach/Files/SWG/ModSource_UI_Addon_Pack.ver	false		high
http://users.on.net/~anach/Files/SWG/ModSource_UI_Addon_Pack.zip	false		high
http://modsource.org/Files/SWG/Mods/ModSource_UI_Addon_Pack.ver	false	Avira URL Cloud: safe	unknown
http://modsource.org/Files/SWG/Mods/ModSource_UI_Addon_Pack.zip	false	Avira URL Cloud: safe	unknown
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://modsource.org	ModSource UI Addon Pack.exe, 00000001.00000002.422163287.0000000002BD2000.00000004.00000020.00020000.00000000.sdmp, nsa449D.tmp.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://modsource.org/Files/SWG/Mods/ModSource_UI_Addon_Pack.ver/TIMEOUT=30000downloadhttp://users.on	ModSource UI Addon Pack.exe, 00000001.00000002.422163287.00000000026DC000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.421708783.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nsa449D.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://www.modsource.org/DC:	Mod-Source - Your Source for SWG Modding Stuff.lnk.1.dr	false	Avira URL Cloud: safe	unknown
http://tassyp2p.optikal.net/viewtopic.php?f=45&t=837	ModSource UI Addon Pack.exe, 00000001.00000002.422163287.0000000002BD2000.00000004.00000020.00020000.00000000.sdmp, nsa449D.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, Uninstall the ModSource UI Addon Pack.exe.1.dr, ModSource UI Addon Pack.exe.0.dr, nsa449D.tmp.1.dr	false		high
http://www.modsource.orgw8	ModSource UI Addon Pack.exe, 00000001.00000002.421708783.000000000073C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://modsource.org/Files/SWG/Mods/ModSource_UI_Addon_Pack.ver/TIMEOUT=30000download	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000002.346975161.00000000028F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bplaced.net/apple-touch-icon.png	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332433511.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332819641.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.modsource.org/	ModSource UI Addon Pack.exe, 00000001.00000002.421708783.000000000073C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://unguilded.traumschmiede.com/Files/Mods/ModSource_UI_Addon_Pack.ver	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000002.346975161.00000000028F0000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.422163287.00000000026DC000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.421708783.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nsa449D.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://unguilded.traumschmiede.com/Files/Mods/ModSource_UI_Addon_Pack.zip	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000002.346975161.00000000028F0000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.422163287.00000000026DC000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.421708783.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nsa449D.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	ModSource UI Addon Pack.exe, ModSource UI Addon Pack.exe, 00000001.00000000.345573605.0000000000409000.00000008.00000001.01000000.00000007.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.422163287.0000000002BD2000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.421438450.0000000000409000.00000004.00000001.01000000.00000007.sdmp, ModSource UI Addon Pack.exe, 00000001.00000003.410469484.0000000000792000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, Uninstall the ModSource UI Addon Pack.exe.1.dr, ModSource UI Addon Pack.exe.0.dr, nsa449D.tmp.1.dr	false		high
http://users.on.net/~anach/Files/SWG/ModSource_UI_Addon_Pack.verhttp://unguilded.traumschmiede.com/F	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000002.346975161.00000000028F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bplaced.net/favicon-16x16.png	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332433511.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332819641.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.modsource.org	nsa449D.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://www.modsource.orgopen	ModSource UI Addon Pack.exe, 00000001.00000002.422163287.00000000026DC000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.421708783.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nsa449D.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://www.bplaced.net/safari-pinned-tab.svg	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332433511.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332819641.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bplaced.net/impressum	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332365541.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332799089.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bplaced.net/gfx/emblem_b_xs.png	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332799089.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bplaced.net/datenschutz	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332365541.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332799089.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bplaced.net/contact	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332365541.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332799089.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bplaced.net/privacy	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332365541.00000000006F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332799089.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bplaced.net/favicon-32x32.png	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332433511.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332819641.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bplaced.net/favicon.ico	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332433511.00000000006ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332819641.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	false		high
http://modsource.org/Files/SWG/Mods/ModSource_UI_Addon_Pack.ziphttp://users.on.net/~anach/Files/SWG/	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000002.346975161.00000000028F0000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.422163287.00000000026DC000.00000004.00000020.00020000.00000000.sdmp, ModSource UI Addon Pack.exe, 00000001.00000002.421708783.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, nsa449D.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://www.bplaced.net/	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe, 00000000.00000003.332799089.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.55.0.134	modsource.org	United States	35893	ACPCA	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
203.16.214.120	users.on.net	Australia	4739	INTERNODE-ASInternodePtyLtdAU	false
216.58.209.45	accounts.google.com	United States	15169	GOOGLEUS	false
142.250.180.174	clients.l.google.com	United States	15169	GOOGLEUS	false
142.250.180.132	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800798
Start date and time:	2023-02-07 19:58:07 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 22s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe
Detection:	SUS
Classification:	sus32.winEXE@29/101@12/8
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 97% (good quality ratio 93.7%) Quality average: 85% Quality standard deviation: 25%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, rundll32.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
TCP Packets have been reduced to 100
Created / dropped Files have been reduced to 100
Excluded IPs from analysis (whitelisted): 142.250.184.99, 34.104.35.123, 142.250.180.163
Excluded domains from analysis (whitelisted): edgedl.me.gvt1.com, update.googleapis.com, clientservices.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:59:46	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModSource UI Addon Pack Silent Updater.lnk

Process:	C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4835
Entropy (8bit):	4.788538130984319
Encrypted:	false
SSDEEP:	48:o3rddddeSddddG8B+GD9Yz3XqXj/YzYz4XqXiN7ZzCLEbXqXxLXnXoTLEqXS7R2Z:ozziHyj/iiYykNzdyhXaf
MD5:	5465527B0C899413743C22ABA3ECFE4C
SHA1:	3347100AE9776581D1CABF2F5E2FA5CB970DF20C
SHA-256:	91D4E5644587E47E6F9793228A153676DD990B6F57477550D1BBE0607BC62560
SHA-512:	F1DC77BD8B03CD5DC12B52EA148FEA824997C498A491F15A0B0235F7FEABB77BEE26DACE86D8833CCAF34410565BBC83E138E58AC378FC1505A0EE373B347CF9
Malicious:	false
Reputation:	low
Preview:	C:\Program Files\StarWarsGalaxies\Ui..C:\Program Files\StarWarsGalaxies\Ui\*.inc..C:\Program Files\StarWarsGalaxies\Ui..C:\Program Files\StarWarsGalaxies\Ui..C:\Program Files\StarWarsGalaxies\Ui..C:\Program Files\StarWarsGalaxies\Ui..C:\Program Files\StarWarsGalaxies\Ui..C:\Program Files\StarWarsGalaxies\Ui\ui_ground_hud_sml_group_window.inc..C:\Program Files\StarWarsGalaxies\Ui..C:\Program Files\StarWarsGalaxies\Ui..C:\Program Files\StarWarsGalaxies\Ui..C:\Program Files\StarWarsGalaxies\Ui..C:\Program Files\StarWarsGalaxies\Ui..C:\Program Files\StarWarsGalaxies\Ui\ui_ground_hud_buttonbar_skinned.inc..C:\Program Files\StarWarsGalaxies\Ui..C:\Program Files\StarWarsGalaxies\Ui\ui_hud_space_buttonbar.inc..C:\Program Files\StarWarsGalaxies\Ui..C:\Program Files\StarWarsGalaxies\Ui\ui_ground_hud_toolbar_skinned.inc..C:\Program Files\StarWarsGalaxies\Ui..C:\Program Files\StarWarsGalaxies\Ui\ui_hud_space_toolbar.inc..C:\Program Files\StarWarsGalaxies\Ui..C:\Program Files\StarWarsGalaxies\Ui\ui

Source: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater\ModSource UI Addon Pack Auto Updater Silent.exe	ReversingLabs: Detection: 23%
Source: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater\ModSource UI Addon Pack Auto Updater.exe	ReversingLabs: Detection: 17%
Source: C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe	ReversingLabs: Detection: 14%

Source: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater\ModSource UI Addon Pack Auto Updater.exe	Joe Sandbox ML: detected
Source: C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater\ModSource UI Addon Pack Auto Updater Silent.exe	Joe Sandbox ML: detected

Source: 1.2.ModSource UI Addon Pack.exe.2c18226.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.ModSource UI Addon Pack.exe.2bed809.4.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:59:10 GMTServer: ApacheX-BP-NSA-REQID: (null) n.12UID=1146X-Content-Type-Options: nosniffUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 29 May 2018 23:27:39 GMTETag: "1b63-56d60947c10c0"Accept-Ranges: bytesContent-Length: 7011Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 2d 68 6f 72 22 20 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 6d 69 72 6f 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 69 74 2d 61 66 74 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 33 20 64 61 79 73 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 20 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 49 4e 44 45 58 2c 20 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 68 65 69 67 68 74 3d 64 65 76 69 63 65 2d 68 65 69 67 68 74 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 73 69 7a 65 73 3d 22 31 38 30 78 31 38 30 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 70 6c 61 63 65 64 2e 6e 65 74 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 70 6c 61 63 65 64 2e 6e 65 74 2f 66 61 76 69 63 6f 6e 2d 33 32 78 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 70 6c 61 63 65 64 2e 6e 65 74 2f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:59:10 GMTServer: ApacheX-BP-NSA-REQID: (null) n.12UID=1562X-Content-Type-Options: nosniffUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 29 May 2018 23:27:39 GMTETag: "1b63-56d60947c10c0"Accept-Ranges: bytesContent-Length: 7011Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 2d 68 6f 72 22 20 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 6d 69 72 6f 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 69 74 2d 61 66 74 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 33 20 64 61 79 73 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 20 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 49 4e 44 45 58 2c 20 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 68 65 69 67 68 74 3d 64 65 76 69 63 65 2d 68 65 69 67 68 74 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 73 69 7a 65 73 3d 22 31 38 30 78 31 38 30 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 70 6c 61 63 65 64 2e 6e 65 74 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 70 6c 61 63 65 64 2e 6e 65 74 2f 66 61 76 69 63 6f 6e 2d 33 32 78 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 70 6c 61 63 65 64 2e 6e 65 74 2f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:59:15 GMTServer: ApacheX-BP-NSA-REQID: (null) n.12UID=1888X-Content-Type-Options: nosniffUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 29 May 2018 23:27:39 GMTETag: "1b63-56d60947c10c0"Accept-Ranges: bytesContent-Length: 7011Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 2d 68 6f 72 22 20 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 6d 69 72 6f 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 69 74 2d 61 66 74 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 33 20 64 61 79 73 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 20 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 49 4e 44 45 58 2c 20 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 68 65 69 67 68 74 3d 64 65 76 69 63 65 2d 68 65 69 67 68 74 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 73 69 7a 65 73 3d 22 31 38 30 78 31 38 30 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 70 6c 61 63 65 64 2e 6e 65 74 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 70 6c 61 63 65 64 2e 6e 65 74 2f 66 61 76 69 63 6f 6e 2d 33 32 78 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 70 6c 61 63 65 64 2e 6e 65 74 2f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 18:59:15 GMTServer: ApacheX-BP-NSA-REQID: (null) n.12UID=827X-Content-Type-Options: nosniffUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 29 May 2018 23:27:39 GMTETag: "1b63-56d60947c10c0"Accept-Ranges: bytesContent-Length: 7011Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 2d 68 6f 72 22 20 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 6d 69 72 6f 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 69 74 2d 61 66 74 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 33 20 64 61 79 73 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 20 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 49 4e 44 45 58 2c 20 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 68 65 69 67 68 74 3d 64 65 76 69 63 65 2d 68 65 69 67 68 74 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 73 69 7a 65 73 3d 22 31 38 30 78 31 38 30 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 70 6c 61 63 65 64 2e 6e 65 74 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 70 6c 61 63 65 64 2e 6e 65 74 2f 66 61 76 69 63 6f 6e 2d 33 32 78 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 70 6c 61 63 65 64 2e 6e 65 74 2f 66

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1121677
Entropy (8bit):	7.999807181487946
Encrypted:	true
SSDEEP:	24576:O5f3Wmsj2/TEB1nT+y6a9Q6lxjioySg0woACijh:O5f3WKUniywMDngHbV
MD5:	4D5E04B6CE80B7C05A22BFB47F24F4C6
SHA1:	75E11BDDB66A7880EE32142A255175B988ACD76E
SHA-256:	6C590620385614A5D549D8760C064A2FDB0B8181A47D3394726B01D09881FF82
SHA-512:	42AAEC990D7D798CE5300A777DC69B7824A1821DFC2430820762570844666795A7EFF697C5C559B19848265E3F5ED4B6E4AD4D105E1E9B55F7B89DE9B051C7A5
Malicious:	false
Preview:	PK........{..;Q.v.............ModSource UI Addon Pack.exe...\SI.8....bPAQQQ.b....(...Hb...CD@H.......].+.6..;X.....U,..Q.WJ...fnPw.}..}...~.......g.9ef...V0\|.a......p?......:S.9^.f.t.....C..C.f.x......RZ...Q.Z..Z;..[.....fjjd...W..=;.m......nW...m..U..ki_.=x.k.j;^..{.I.?..&a..<}...O.......g.0...>.v..O.6C......8:0.+.&.z.G..qy.^.^.oW(.....3+.....\.......J....Ch....~..3.[....aV4...!..?.Cj8t.1..!.V....K..n...+0....".BBC.I.0.6L8^..m...........0.)m.Fb.2U..4...4.I..p....L@%...!.L...iw...aLO......-a.$&..7\...i".....S0.EV`D'..NJ..C....+:....b.\..K.1},F.N....ra....%..Ks0.MtHb.../.....9......-...%........X.GD@e....V`.......z..P...^.=....2J.M...'..!.([...d.p..0w.....uizO......1........X...E.L..".8.xb........1..6..9HF..w...8.2.x=a.%=.k.....{.br...-.k$=.'...2...aE-.2..z.....Efe.f*c.c...k..q...>)...r}....d...x.q.~./#.....5..Y.K5.P.,..4.s1Q..\...,...H8i..gP$.Z....4"....7.MEj.[..cY......L.R..Ex...'5h.B.3..k...:..Q~QGh...z...f.0.e.../a....W.

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.762292817147485
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe
File size:	116184
MD5:	97011b19f2683a918f1f07f7f4ec1998
SHA1:	4b486d0b67994fabe961787f5facdf9a0e3f6672
SHA256:	c1469167b9700aeca987573c023ec7f160dadf8309a7a4feb2cd1969ad66673e
SHA512:	fd7ffe3ccf0a46d06d936c946f50b6fdde195f684cf10b23450809457fbbb7d281f45582667ff5ec1e1968283295426ba05d156063d9c45bce931f8a45529dd1
SSDEEP:	3072:Md/vyWmJgsn5f630mFNCwivNDd+r7Ncxnpjw9:MXiY0IMfZ0N0npC
TLSH:	14B3021F79C5C89BCE6529B0167B837792B9771605210F8F27B04FFF983509A9B0A18B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L.../..G.................Z..........%2.....

Entrypoint:	0x403225
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x47EEBF2F [Sat Mar 29 22:14:07 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2f000	0x908	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5934	0x5a00	False	0.6665364583333333	data	6.4568655778614685	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.4448784722222222	data	5.177968128705381	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	False	0.552734375	data	4.702501941692098	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0xb000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2f000	0x908	0xa00	False	0.4109375	data	3.9664836133461354	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2f190	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States
RT_DIALOG	0x2f478	0x100	data	English	United States
RT_DIALOG	0x2f578	0x11c	data	English	United States
RT_DIALOG	0x2f698	0x60	data	English	United States
RT_GROUP_ICON	0x2f6f8	0x14	data	English	United States
RT_MANIFEST	0x2f710	0x1f6	XML 1.0 document, ASCII text, with very long lines (502), with no line terminators	English	United States

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 19:59:09.999867916 CET	49695	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:10.024344921 CET	80	49695	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.024516106 CET	49695	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:10.031176090 CET	49695	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:10.055288076 CET	80	49695	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.060662031 CET	80	49695	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.060699940 CET	80	49695	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.060720921 CET	80	49695	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.060744047 CET	80	49695	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.060765028 CET	80	49695	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.060786009 CET	80	49695	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.060816050 CET	49695	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:10.060888052 CET	49695	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:10.063277960 CET	49695	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:10.130839109 CET	80	49695	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.141086102 CET	80	49695	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.141182899 CET	49695	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:10.329230070 CET	49696	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:10.353476048 CET	80	49696	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.353574038 CET	49696	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:10.376364946 CET	49696	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:10.400569916 CET	80	49696	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.406291008 CET	80	49696	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.406332970 CET	80	49696	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.406387091 CET	80	49696	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.406415939 CET	80	49696	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.406444073 CET	80	49696	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.406766891 CET	80	49696	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.407351017 CET	49696	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:10.447982073 CET	49696	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:10.486756086 CET	80	49696	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:10.486902952 CET	49696	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:10.690042973 CET	49697	80	192.168.2.4	203.16.214.120
Feb 7, 2023 19:59:11.011236906 CET	80	49697	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:11.011480093 CET	49697	80	192.168.2.4	203.16.214.120
Feb 7, 2023 19:59:11.017126083 CET	49697	80	192.168.2.4	203.16.214.120
Feb 7, 2023 19:59:11.339237928 CET	80	49697	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:11.342822075 CET	80	49697	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:11.342885017 CET	80	49697	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:11.342998981 CET	49697	80	192.168.2.4	203.16.214.120
Feb 7, 2023 19:59:11.344343901 CET	49697	80	192.168.2.4	203.16.214.120
Feb 7, 2023 19:59:11.543103933 CET	80	49697	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:11.543184996 CET	49697	80	192.168.2.4	203.16.214.120
Feb 7, 2023 19:59:11.664391041 CET	80	49697	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:15.637778997 CET	49698	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:15.661902905 CET	80	49698	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.662056923 CET	49698	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:15.673615932 CET	49698	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:15.697168112 CET	80	49698	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.703309059 CET	80	49698	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.703341961 CET	80	49698	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.703362942 CET	80	49698	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.703386068 CET	80	49698	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.703406096 CET	80	49698	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.703449965 CET	49698	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:15.703507900 CET	49698	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:15.706346035 CET	80	49698	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.706469059 CET	49698	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:15.706535101 CET	49698	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:15.848922014 CET	49699	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:15.873218060 CET	80	49699	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.873454094 CET	49699	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:15.877010107 CET	49699	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:15.900964975 CET	80	49699	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.905997992 CET	80	49699	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.906028032 CET	80	49699	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.906049013 CET	80	49699	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.906069994 CET	80	49699	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.906085014 CET	80	49699	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.906102896 CET	80	49699	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.906183958 CET	49699	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:15.906245947 CET	49699	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:15.909384966 CET	49699	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:15.974669933 CET	80	49699	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.986478090 CET	80	49699	162.55.0.134	192.168.2.4
Feb 7, 2023 19:59:15.986731052 CET	49699	80	192.168.2.4	162.55.0.134
Feb 7, 2023 19:59:16.314790010 CET	49700	80	192.168.2.4	203.16.214.120
Feb 7, 2023 19:59:16.632805109 CET	80	49700	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:16.632946014 CET	49700	80	192.168.2.4	203.16.214.120
Feb 7, 2023 19:59:16.641328096 CET	49700	80	192.168.2.4	203.16.214.120
Feb 7, 2023 19:59:16.959192991 CET	80	49700	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:16.961148977 CET	80	49700	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:16.961299896 CET	80	49700	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:16.961321115 CET	80	49700	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:16.961339951 CET	80	49700	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:16.961415052 CET	49700	80	192.168.2.4	203.16.214.120
Feb 7, 2023 19:59:16.961467028 CET	49700	80	192.168.2.4	203.16.214.120
Feb 7, 2023 19:59:17.279333115 CET	80	49700	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:17.279367924 CET	80	49700	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:17.279387951 CET	80	49700	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:17.279499054 CET	80	49700	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:17.279535055 CET	80	49700	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:17.279562950 CET	49700	80	192.168.2.4	203.16.214.120
Feb 7, 2023 19:59:17.279563904 CET	49700	80	192.168.2.4	203.16.214.120
Feb 7, 2023 19:59:17.279576063 CET	80	49700	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:17.279639006 CET	49700	80	192.168.2.4	203.16.214.120
Feb 7, 2023 19:59:17.597465992 CET	80	49700	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:17.597495079 CET	80	49700	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:17.597513914 CET	80	49700	203.16.214.120	192.168.2.4
Feb 7, 2023 19:59:17.597533941 CET	80	49700	203.16.214.120	192.168.2.4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 19:59:09.772711992 CET	56572	53	192.168.2.4	8.8.8.8
Feb 7, 2023 19:59:09.962383986 CET	53	56572	8.8.8.8	192.168.2.4
Feb 7, 2023 19:59:10.131247997 CET	50911	53	192.168.2.4	8.8.8.8
Feb 7, 2023 19:59:10.250767946 CET	53	50911	8.8.8.8	192.168.2.4
Feb 7, 2023 19:59:10.557708979 CET	59683	53	192.168.2.4	8.8.8.8
Feb 7, 2023 19:59:10.577409983 CET	53	59683	8.8.8.8	192.168.2.4
Feb 7, 2023 19:59:15.601710081 CET	64167	53	192.168.2.4	8.8.8.8
Feb 7, 2023 19:59:15.622859001 CET	53	64167	8.8.8.8	192.168.2.4
Feb 7, 2023 19:59:15.787257910 CET	58565	53	192.168.2.4	8.8.8.8
Feb 7, 2023 19:59:15.809245110 CET	53	58565	8.8.8.8	192.168.2.4
Feb 7, 2023 19:59:15.979074955 CET	52239	53	192.168.2.4	8.8.8.8
Feb 7, 2023 19:59:16.300218105 CET	53	52239	8.8.8.8	192.168.2.4
Feb 7, 2023 20:00:00.583838940 CET	60686	53	192.168.2.4	8.8.8.8
Feb 7, 2023 20:00:00.584105015 CET	61124	53	192.168.2.4	8.8.8.8
Feb 7, 2023 20:00:00.604007006 CET	53	61124	8.8.8.8	192.168.2.4
Feb 7, 2023 20:00:00.609865904 CET	53	60686	8.8.8.8	192.168.2.4
Feb 7, 2023 20:00:03.329857111 CET	50861	53	192.168.2.4	8.8.8.8
Feb 7, 2023 20:00:03.349862099 CET	53	50861	8.8.8.8	192.168.2.4
Feb 7, 2023 20:00:03.642433882 CET	61088	53	192.168.2.4	8.8.8.8
Feb 7, 2023 20:00:03.683633089 CET	53	61088	8.8.8.8	192.168.2.4
Feb 7, 2023 20:01:05.888470888 CET	51419	53	192.168.2.4	8.8.8.8
Feb 7, 2023 20:01:05.906919003 CET	53	51419	8.8.8.8	192.168.2.4
Feb 7, 2023 20:01:06.002398014 CET	51054	53	192.168.2.4	8.8.8.8
Feb 7, 2023 20:01:06.022260904 CET	53	51054	8.8.8.8	192.168.2.4

Target ID:	0
Start time:	19:59:08
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe
Imagebase:	0x400000
File size:	116184 bytes
MD5 hash:	97011B19F2683A918F1F07F7F4EC1998
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	1
Start time:	19:59:21
Start date:	07/02/2023
Path:	C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\ModSource UI Addon Pack\ModSource UI Addon Pack.exe
Imagebase:	0x400000
File size:	1147783 bytes
MD5 hash:	DC0AEE7C1898F76B9D61CE023B91539C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 14%, ReversingLabs
Reputation:	low

Target ID:	4
Start time:	19:59:54
Start date:	07/02/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\Readme ModSource UI Addon Pack.html
Imagebase:	0x7ff683680000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	6
Start time:	19:59:56
Start date:	07/02/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1800,i,4957897538365028636,534134650291675046,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff683680000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\StarWarsGalaxies\ModSource UI Addon Pack Uninstall.log

C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\Changelog_PreNGE_UI.txt

C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\Readme ModSource UI Addon Pack.html

C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\Readme_Anachs_PreNGE_UI.txt

C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\readme_BattleBackground.txt

C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Documentation\reticle_readme.txt

C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Icons\Readme.ico

C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Icons\Uninstall.ico

C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Icons\Update.ico

C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Icons\Web.ico

C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Uninstall the ModSource UI Addon Pack.exe

C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater\ModSource UI Addon Pack Auto Updater Silent.exe

C:\Program Files\StarWarsGalaxies\Mods\ModSource UI Addon Pack\Updater\ModSource UI Addon Pack Auto Updater.exe

C:\Program Files\StarWarsGalaxies\Sample\item_close_metal_can_cntner.wav

C:\Program Files\StarWarsGalaxies\Sample\item_fusioncutter_end.wav

C:\Program Files\StarWarsGalaxies\Sample\item_open_metal_can_cntner.wav

C:\Program Files\StarWarsGalaxies\Sample\ui_button_arrow_back.wav

C:\Program Files\StarWarsGalaxies\Sample\ui_button_arrow_forward.wav

Windows Analysis Report
SecuriteInfo.com.Trojan.DownLoader28.22066.19106.30146.exe

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre