Windows Analysis Report
SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe

Overview

General Information

Sample name: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
Analysis ID: 1466586
MD5: 0c4d10bb9e089cd3126533df5f72a958
SHA1: 8905b784ed0bb4de061700f3bd64c4a1a6674074
SHA256: 825f69fe9f15110c8199a4f1e9ab2f316385585a6b436b9a7c33ab2dc31fe76b
Tags: exe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: MSBuild connects to smtp port
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 6.2.MSBuild.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "naz@itc-ib.net", "Password": "*SGCViVH2@@@@11$#4%% "}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Virustotal: Detection: 33% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe ReversingLabs: Detection: 18%
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Virustotal: Detection: 33% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49733 -> 208.91.199.223:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.199.223 208.91.199.223
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49733 -> 208.91.199.223:587
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: us2.smtp.mailhostbox.com
Source: MSBuild.exe, 00000006.00000002.1693905753.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micros
Source: MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.Nh
Source: MSBuild.exe, 00000006.00000002.1693905753.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: MSBuild.exe, 00000006.00000002.1693905753.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: MSBuild.exe, 00000006.00000002.1693905753.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0A
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1658382497.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, XjmosAst.exe, 00000007.00000002.1694735664.0000000002765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MSBuild.exe, 00000006.00000002.1693905753.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1668399169.0000000006932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1658860263.0000000003819000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.1690865441.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: MSBuild.exe, 00000006.00000002.1693905753.0000000003258000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, 3DlgK9re6m.cs .Net Code: j72D
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.raw.unpack, 3DlgK9re6m.cs .Net Code: j72D

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.6da0000.6.raw.unpack, -Module-.cs Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.283bccc.1.raw.unpack, -Module-.cs Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
Source: 7.2.XjmosAst.exe.26cbb60.0.raw.unpack, -Module-.cs Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_00ACE3A4 0_2_00ACE3A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_026F03F0 0_2_026F03F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_026F3358 0_2_026F3358
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_026F03DF 0_2_026F03DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_026F4E38 0_2_026F4E38
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_026F4E37 0_2_026F4E37
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_026FAEC0 0_2_026FAEC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_026F2F20 0_2_026F2F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_026F57E8 0_2_026F57E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_026F3790 0_2_026F3790
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_04D3BB98 0_2_04D3BB98
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_04D3BB97 0_2_04D3BB97
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D9C6D0 0_2_06D9C6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D945B8 0_2_06D945B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D97C89 0_2_06D97C89
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D92DB0 0_2_06D92DB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D9C6C0 0_2_06D9C6C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D92644 0_2_06D92644
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D9267D 0_2_06D9267D
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D927B6 0_2_06D927B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D9270D 0_2_06D9270D
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D9BE70 0_2_06D9BE70
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D9BE60 0_2_06D9BE60
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D97E2B 0_2_06D97E2B
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D94F10 0_2_06D94F10
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D94F01 0_2_06D94F01
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D92CB0 0_2_06D92CB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D92C51 0_2_06D92C51
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D92C7B 0_2_06D92C7B
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D92C10 0_2_06D92C10
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D93D6D 0_2_06D93D6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D95A58 0_2_06D95A58
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D92A58 0_2_06D92A58
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D95A49 0_2_06D95A49
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D92A28 0_2_06D92A28
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D92BAC 0_2_06D92BAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D92B75 0_2_06D92B75
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D92B1C 0_2_06D92B1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D9B8C0 0_2_06D9B8C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D928EC 0_2_06D928EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D9B8BA 0_2_06D9B8BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D9285C 0_2_06D9285C
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D9287E 0_2_06D9287E
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D92993 0_2_06D92993
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D9295A 0_2_06D9295A
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D92923 0_2_06D92923
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06E26E20 0_2_06E26E20
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06E26720 0_2_06E26720
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06E26710 0_2_06E26710
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06E27A78 0_2_06E27A78
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06E2BEC9 0_2_06E2BEC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06E2863A 0_2_06E2863A
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06E2AE07 0_2_06E2AE07
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06E26E10 0_2_06E26E10
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06E2A510 0_2_06E2A510
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06E20B00 0_2_06E20B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06E20040 0_2_06E20040
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06E20007 0_2_06E20007
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06E2001F 0_2_06E2001F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_01499378 6_2_01499378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_01499B38 6_2_01499B38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_01494A98 6_2_01494A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_0149CDA8 6_2_0149CDA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_01493E80 6_2_01493E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 6_2_014941C8 6_2_014941C8
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_00CAE3A4 7_2_00CAE3A4
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_047303F0 7_2_047303F0
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_04734E38 7_2_04734E38
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_04734E29 7_2_04734E29
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_04732F20 7_2_04732F20
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_047357E8 7_2_047357E8
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_04733790 7_2_04733790
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_0473A2A0 7_2_0473A2A0
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_04733358 7_2_04733358
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_047303DF 7_2_047303DF
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_06906E20 7_2_06906E20
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_06906710 7_2_06906710
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_06906720 7_2_06906720
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_06907A78 7_2_06907A78
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_0690BED8 7_2_0690BED8
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_06906E10 7_2_06906E10
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_0690AE07 7_2_0690AE07
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_0690863B 7_2_0690863B
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_06908648 7_2_06908648
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_0690A510 7_2_0690A510
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_06900B00 7_2_06900B00
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_06900007 7_2_06900007
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_06900040 7_2_06900040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 12_2_01289B38 12_2_01289B38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 12_2_01284A98 12_2_01284A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 12_2_0128CDA8 12_2_0128CDA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 12_2_01283E80 12_2_01283E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 12_2_012841C8 12_2_012841C8
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1669604311.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRT.dll. vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1658233780.0000000002660000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1658860263.00000000041EE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1658860263.0000000003819000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamecd9b6a9b-2173-42d1-b391-e58738cecc5f.exe4 vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1658382497.0000000002811000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRT.dll. vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1658382497.0000000002811000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamecd9b6a9b-2173-42d1-b391-e58738cecc5f.exe4 vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1670426591.00000000086B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1670426591.00000000086B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUGRU.exe\ vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, 00000000.00000002.1657840404.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Binary or memory string: OriginalFilenameUGRU.exe\ vs SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe
Uses 32bit PE files
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XjmosAst.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, slKb.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, mAKJ.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, xQRSe0Fg.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, n3rhMa.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, MQzE4FWn.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, nSmgRyX5a1.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, 6IMLmJtk.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, 6IMLmJtk.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, 3HroK7qN.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, 3HroK7qN.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, wIr9PbPLQwkUi56FIp.cs Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, wIr9PbPLQwkUi56FIp.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, wIr9PbPLQwkUi56FIp.cs Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, yL9ll5nRfy6Bwk0l7C.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, wIr9PbPLQwkUi56FIp.cs Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, wIr9PbPLQwkUi56FIp.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, wIr9PbPLQwkUi56FIp.cs Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, yL9ll5nRfy6Bwk0l7C.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.spre.troj.spyw.evad.winEXE@18/11@1/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe File created: C:\Users\user\AppData\Roaming\XjmosAst.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe File created: C:\Users\user\AppData\Local\Temp\tmp40BB.tmp Jump to behavior
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe ReversingLabs: Detection: 18%
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Virustotal: Detection: 33%
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe "C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp40BB.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\XjmosAst.exe C:\Users\user\AppData\Roaming\XjmosAst.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp4EE4.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp40BB.tmp" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp4EE4.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe, DemoForm.cs .Net Code: InitializeComponent
Source: XjmosAst.exe.0.dr, DemoForm.cs .Net Code: InitializeComponent
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.6da0000.6.raw.unpack, -Module-.cs .Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.6da0000.6.raw.unpack, PingPong.cs .Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, wIr9PbPLQwkUi56FIp.cs .Net Code: QwfOs5Vs1p System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.283bccc.1.raw.unpack, -Module-.cs .Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.283bccc.1.raw.unpack, PingPong.cs .Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, wIr9PbPLQwkUi56FIp.cs .Net Code: QwfOs5Vs1p System.Reflection.Assembly.Load(byte[])
Source: 7.2.XjmosAst.exe.26cbb60.0.raw.unpack, -Module-.cs .Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 7.2.XjmosAst.exe.26cbb60.0.raw.unpack, PingPong.cs .Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_00ACB051 push edi; retf 0004h 0_2_00ACB052
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_04D3A250 push eax; mov dword ptr [esp], ecx 0_2_04D3A264
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_04D3AD11 push edi; iretd 0_2_04D3AD3E
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D972B0 push edi; iretd 0_2_06D972BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D97200 push edi; iretd 0_2_06D97286
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D973D3 push edi; iretd 0_2_06D973DB
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D973F2 push edi; iretd 0_2_06D973DB
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D973EF push edi; iretd 0_2_06D973F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Code function: 0_2_06D95C61 push 8BBCEB50h; ret 0_2_06D95C67
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Code function: 7_2_00CA01B5 push esp; iretd 7_2_00CA01B3
Source: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Static PE information: section name: .text entropy: 7.883094544477586
Source: XjmosAst.exe.0.dr Static PE information: section name: .text entropy: 7.883094544477586
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, HQxTIiO4Ch65hAEaVN.cs High entropy of concatenated method names: 'Slt2EfBAfU', 'gmy2Xan4cx', 'Q3vocCnEMr', 'JJxoj0qiWs', 'zmq2KxIXH1', 'D762f1X9JK', 'tGd2Rk8DFU', 'Os72aMZFQY', 'qIT2JJ8fsA', 'KKX2lCB7MG'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, fibamdTanQLo0aQ5I1.cs High entropy of concatenated method names: 'xMrij8RvyP', 'gJ8iWWek0p', 'VBqiOQUkd6', 's8rinPgdK4', 'BHSibbKD3h', 'bJxiuNbXun', 'jyeipaEfi8', 'aQ4oAulmyq', 'gvUoEoaYrG', 'naWoNLNOua'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, U9YvHd8K0GHCpqmSX5.cs High entropy of concatenated method names: 'P6ujTvFYi2', 'iuAj3aH2ka', 'zZ9jxPmy5i', 'ST2jVG9Y1f', 'aMIj50HIN7', 'UNVjP27nF7', 'oOykBPvx4F2Ao7TxPP', 'XkvSHQ8ol3xxvGKecQ', 'lwnjjD6AoF', 'tDsjWI6K5G'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, WjZn7XWQJfCFBtFm8T.cs High entropy of concatenated method names: 'BemonotReg', 'bW2obw4CA8', 'OO8oh8AWsm', 'DwaouD8q8d', 'jMNopr8nBm', 'LBLoTvvkKb', 'm7Zo3b9jGv', 'owroZ6uigk', 'RKvoxMSuTG', 'KupoVwiVrJ'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, uYeCU5xBaTbGxBEuvp.cs High entropy of concatenated method names: 'mBVssNMHO', 'tk202Akt2', 'bYSMo8oQ0', 'BLi73n6mv', 'stT8l2dtG', 'OatdMcRJG', 'uuGK2tPZ5IrbyHEXD7', 'dagLCBUJHqhCyOOHxY', 'ebjoSkC1T', 'aQjynWYiC'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, rY1YUJ5HmfwoGyOrUF.cs High entropy of concatenated method names: 'sOq2xo8rRt', 'VUn2VYiXcq', 'ToString', 'ouv2n0GsJY', 'fBk2bqiOqJ', 'tmf2hu3m63', 'Gj92u6li1U', 'xZj2pxqZ4W', 'Npe2T9K2Ie', 'l8Q234u26r'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, q86xiILGrL3WN9TJy0.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'mi9vNUZODa', 'QF6vXP2Kyr', 'ScyvzTpJuy', 'ynsWch2suE', 'cbjWj2bbhN', 'oVZWvQSED1', 'rD6WWqQkC6', 'RIOm3jqqAylDNkBZO7g'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, dvJyEA2G1otQTTrExZ.cs High entropy of concatenated method names: 'pSwkDyD7S7', 'xWtk8F4IHF', 'BrdkruOJMQ', 'BQ2kmWUcWl', 'dsMkeiVlnn', 'YQUkFRurxV', 'VHbk1Fy3fQ', 'yI6kUyYkkA', 'k7WkIPpOgS', 'K5lkK5O0Mx'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, ENSI8ceZi3otmkSZWOM.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wFEyas8bVX', 'iinyJq94vw', 'PujylVRiRT', 'KwEyteII3A', 'Y5cyqxPXAt', 'pTCy9y8HcU', 'f38yAZ8a1f'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, yL9ll5nRfy6Bwk0l7C.cs High entropy of concatenated method names: 'mE8baLec77', 'zQMbJcZslK', 'ec3blqUDrV', 'QUjbtemFM7', 'QxXbq0VNgB', 'oCKb9gNpxS', 'OopbAGlO5U', 'IQgbEGoC12', 'CEmbN4X0hx', 'iSQbX8cr8f'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, RsHofFMnxfsjJ8BAiT.cs High entropy of concatenated method names: 'MFRh0WO8Vv', 'e1fhM1qROV', 'rsFhDg0NMr', 'wC8h8wTEiV', 'mb2h5dOg8L', 'iwuhP2CNNt', 'Wnih21WCqu', 'W3QhowfmAA', 'RXqhidlRtJ', 'qFJhy26Sm8'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, hd1o06zClXUmcEjHAt.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mjnikXX8Q7', 'N2pi5TbL2S', 'jb2iP2Y3FP', 'kPMi2x7KT7', 'gsYiotGcb9', 'YrUiir2Nvi', 'QNoiy6Uu4b'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, lq249OJRn0JaqL6LCm.cs High entropy of concatenated method names: 'GHnorsfABH', 'skQomoOtRw', 'RY2oHQr8t2', 'YFqoeKuJ3q', 'CBCoan1YMA', 'DnloFFKbaw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, s1hSPSeh2ulqnbK4w8k.cs High entropy of concatenated method names: 'ByOiYakclG', 'Slci4kcWhW', 'f30is4WL4o', 'uc7i0PW3u9', 'oXAiGbBqGA', 'bUkiMyHfE9', 'IUGi7wSNgg', 'vF4iD3VYh0', 'oeWi88M2WQ', 'HWwidiI6Hi'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, WPASOHdd8TrOET2oUC.cs High entropy of concatenated method names: 'r0apB9kQPx', 'mtLpbOHDEw', 'tFPpu4xCqA', 'hxwpTxuGRu', 'acHp3b3Kbq', 'mniuqdEh5x', 'MVWu9gEsAW', 'N1xuApmOBd', 'JphuEHI4yf', 'kMvuN2IklE'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, RGLfaXltfYcfWcg2yC.cs High entropy of concatenated method names: 'ToString', 'vC3PKFJ0oX', 'O6nPmYPCkm', 'iMaPHZDt7Q', 'kuOPeradGe', 't9wPFhMTEQ', 'FYiPgOXvrg', 'U7fP1lMkjN', 'LonPUdbHDl', 'Pl4P6vR26r'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, oQSDBuVBcRoi9PYASP.cs High entropy of concatenated method names: 'hlsTnISwb6', 'cAbThJr6wg', 'LCcTpdQuAE', 'XPwpX4Iu9p', 'ytSpzQE9Lm', 'PuSTc1i3yD', 'uuRTjMfDtp', 'd42Tv4KYQ9', 'WGbTWS2udx', 'R2bTOV3SoU'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, iCOWRswtGmG7aYRUHl.cs High entropy of concatenated method names: 'y1CTYOIApK', 'W4RT41ruel', 'lAOTsrSDqh', 'ULQT0mjJJy', 'VjATGLenK5', 'uYlTMR2G4e', 'egaT7S91Lx', 'NM4TDWgt6P', 'surT8aScvm', 'i05Tdy0dM4'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, uJQ5j86U5sqEhDLqPF.cs High entropy of concatenated method names: 'J9MuGPHWWU', 'aWGu78Dmre', 'V4qhHfiydg', 'CDgheN5qBF', 'Y5OhF6aYiS', 'JJyhgd2kPS', 'ROEh1qSEOs', 'YSahUSvueM', 'TKHh64KwvR', 'nBnhIXBECD'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, wIr9PbPLQwkUi56FIp.cs High entropy of concatenated method names: 'GDAWBGZ5Y8', 'lfcWnuUmJ3', 'G3pWbgv24v', 'mVgWh29GOE', 'uuMWuXAfky', 'LPXWpv8R9e', 'j6EWTTfTuI', 'N5bW308vtb', 'Sj4WZ6agei', 'sjbWxNMYUx'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, V7Oekn7db9gxREMqXb.cs High entropy of concatenated method names: 'YqV5IqVo4d', 'rAe5fyC3Fu', 'BZ05ahQmvP', 'voX5JqYwd1', 'l2X5mW3XXB', 'KmH5HKx8Sq', 'IVx5eeHVhC', 'r5y5FHdQKg', 'Jxr5g87Nkx', 'PU851eSApb'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.43f5a90.3.raw.unpack, crDeI8gLQHOh5Wfg5B.cs High entropy of concatenated method names: 'Dispose', 'IkPjNQtEuX', 'jHWvmfQWpk', 'TKLSSB2t7p', 'pRCjXWDZfG', 'idrjzppa9A', 'ProcessDialogKey', 'g4GvcLICCl', 'xdZvjk12Vl', 'aT7vvIpiER'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, HQxTIiO4Ch65hAEaVN.cs High entropy of concatenated method names: 'Slt2EfBAfU', 'gmy2Xan4cx', 'Q3vocCnEMr', 'JJxoj0qiWs', 'zmq2KxIXH1', 'D762f1X9JK', 'tGd2Rk8DFU', 'Os72aMZFQY', 'qIT2JJ8fsA', 'KKX2lCB7MG'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, fibamdTanQLo0aQ5I1.cs High entropy of concatenated method names: 'xMrij8RvyP', 'gJ8iWWek0p', 'VBqiOQUkd6', 's8rinPgdK4', 'BHSibbKD3h', 'bJxiuNbXun', 'jyeipaEfi8', 'aQ4oAulmyq', 'gvUoEoaYrG', 'naWoNLNOua'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, U9YvHd8K0GHCpqmSX5.cs High entropy of concatenated method names: 'P6ujTvFYi2', 'iuAj3aH2ka', 'zZ9jxPmy5i', 'ST2jVG9Y1f', 'aMIj50HIN7', 'UNVjP27nF7', 'oOykBPvx4F2Ao7TxPP', 'XkvSHQ8ol3xxvGKecQ', 'lwnjjD6AoF', 'tDsjWI6K5G'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, WjZn7XWQJfCFBtFm8T.cs High entropy of concatenated method names: 'BemonotReg', 'bW2obw4CA8', 'OO8oh8AWsm', 'DwaouD8q8d', 'jMNopr8nBm', 'LBLoTvvkKb', 'm7Zo3b9jGv', 'owroZ6uigk', 'RKvoxMSuTG', 'KupoVwiVrJ'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, uYeCU5xBaTbGxBEuvp.cs High entropy of concatenated method names: 'mBVssNMHO', 'tk202Akt2', 'bYSMo8oQ0', 'BLi73n6mv', 'stT8l2dtG', 'OatdMcRJG', 'uuGK2tPZ5IrbyHEXD7', 'dagLCBUJHqhCyOOHxY', 'ebjoSkC1T', 'aQjynWYiC'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, rY1YUJ5HmfwoGyOrUF.cs High entropy of concatenated method names: 'sOq2xo8rRt', 'VUn2VYiXcq', 'ToString', 'ouv2n0GsJY', 'fBk2bqiOqJ', 'tmf2hu3m63', 'Gj92u6li1U', 'xZj2pxqZ4W', 'Npe2T9K2Ie', 'l8Q234u26r'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, q86xiILGrL3WN9TJy0.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'mi9vNUZODa', 'QF6vXP2Kyr', 'ScyvzTpJuy', 'ynsWch2suE', 'cbjWj2bbhN', 'oVZWvQSED1', 'rD6WWqQkC6', 'RIOm3jqqAylDNkBZO7g'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, dvJyEA2G1otQTTrExZ.cs High entropy of concatenated method names: 'pSwkDyD7S7', 'xWtk8F4IHF', 'BrdkruOJMQ', 'BQ2kmWUcWl', 'dsMkeiVlnn', 'YQUkFRurxV', 'VHbk1Fy3fQ', 'yI6kUyYkkA', 'k7WkIPpOgS', 'K5lkK5O0Mx'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, ENSI8ceZi3otmkSZWOM.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wFEyas8bVX', 'iinyJq94vw', 'PujylVRiRT', 'KwEyteII3A', 'Y5cyqxPXAt', 'pTCy9y8HcU', 'f38yAZ8a1f'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, yL9ll5nRfy6Bwk0l7C.cs High entropy of concatenated method names: 'mE8baLec77', 'zQMbJcZslK', 'ec3blqUDrV', 'QUjbtemFM7', 'QxXbq0VNgB', 'oCKb9gNpxS', 'OopbAGlO5U', 'IQgbEGoC12', 'CEmbN4X0hx', 'iSQbX8cr8f'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, RsHofFMnxfsjJ8BAiT.cs High entropy of concatenated method names: 'MFRh0WO8Vv', 'e1fhM1qROV', 'rsFhDg0NMr', 'wC8h8wTEiV', 'mb2h5dOg8L', 'iwuhP2CNNt', 'Wnih21WCqu', 'W3QhowfmAA', 'RXqhidlRtJ', 'qFJhy26Sm8'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, hd1o06zClXUmcEjHAt.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mjnikXX8Q7', 'N2pi5TbL2S', 'jb2iP2Y3FP', 'kPMi2x7KT7', 'gsYiotGcb9', 'YrUiir2Nvi', 'QNoiy6Uu4b'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, lq249OJRn0JaqL6LCm.cs High entropy of concatenated method names: 'GHnorsfABH', 'skQomoOtRw', 'RY2oHQr8t2', 'YFqoeKuJ3q', 'CBCoan1YMA', 'DnloFFKbaw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, s1hSPSeh2ulqnbK4w8k.cs High entropy of concatenated method names: 'ByOiYakclG', 'Slci4kcWhW', 'f30is4WL4o', 'uc7i0PW3u9', 'oXAiGbBqGA', 'bUkiMyHfE9', 'IUGi7wSNgg', 'vF4iD3VYh0', 'oeWi88M2WQ', 'HWwidiI6Hi'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, WPASOHdd8TrOET2oUC.cs High entropy of concatenated method names: 'r0apB9kQPx', 'mtLpbOHDEw', 'tFPpu4xCqA', 'hxwpTxuGRu', 'acHp3b3Kbq', 'mniuqdEh5x', 'MVWu9gEsAW', 'N1xuApmOBd', 'JphuEHI4yf', 'kMvuN2IklE'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, RGLfaXltfYcfWcg2yC.cs High entropy of concatenated method names: 'ToString', 'vC3PKFJ0oX', 'O6nPmYPCkm', 'iMaPHZDt7Q', 'kuOPeradGe', 't9wPFhMTEQ', 'FYiPgOXvrg', 'U7fP1lMkjN', 'LonPUdbHDl', 'Pl4P6vR26r'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, oQSDBuVBcRoi9PYASP.cs High entropy of concatenated method names: 'hlsTnISwb6', 'cAbThJr6wg', 'LCcTpdQuAE', 'XPwpX4Iu9p', 'ytSpzQE9Lm', 'PuSTc1i3yD', 'uuRTjMfDtp', 'd42Tv4KYQ9', 'WGbTWS2udx', 'R2bTOV3SoU'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, iCOWRswtGmG7aYRUHl.cs High entropy of concatenated method names: 'y1CTYOIApK', 'W4RT41ruel', 'lAOTsrSDqh', 'ULQT0mjJJy', 'VjATGLenK5', 'uYlTMR2G4e', 'egaT7S91Lx', 'NM4TDWgt6P', 'surT8aScvm', 'i05Tdy0dM4'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, uJQ5j86U5sqEhDLqPF.cs High entropy of concatenated method names: 'J9MuGPHWWU', 'aWGu78Dmre', 'V4qhHfiydg', 'CDgheN5qBF', 'Y5OhF6aYiS', 'JJyhgd2kPS', 'ROEh1qSEOs', 'YSahUSvueM', 'TKHh64KwvR', 'nBnhIXBECD'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, wIr9PbPLQwkUi56FIp.cs High entropy of concatenated method names: 'GDAWBGZ5Y8', 'lfcWnuUmJ3', 'G3pWbgv24v', 'mVgWh29GOE', 'uuMWuXAfky', 'LPXWpv8R9e', 'j6EWTTfTuI', 'N5bW308vtb', 'Sj4WZ6agei', 'sjbWxNMYUx'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, V7Oekn7db9gxREMqXb.cs High entropy of concatenated method names: 'YqV5IqVo4d', 'rAe5fyC3Fu', 'BZ05ahQmvP', 'voX5JqYwd1', 'l2X5mW3XXB', 'KmH5HKx8Sq', 'IVx5eeHVhC', 'r5y5FHdQKg', 'Jxr5g87Nkx', 'PU851eSApb'
Source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.2660000.0.raw.unpack, crDeI8gLQHOh5Wfg5B.cs High entropy of concatenated method names: 'Dispose', 'IkPjNQtEuX', 'jHWvmfQWpk', 'TKLSSB2t7p', 'pRCjXWDZfG', 'idrjzppa9A', 'ProcessDialogKey', 'g4GvcLICCl', 'xdZvjk12Vl', 'aT7vvIpiER'
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe File created: C:\Users\user\AppData\Roaming\XjmosAst.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp40BB.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe PID: 7508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: XjmosAst.exe PID: 7912, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory allocated: AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory allocated: 2810000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory allocated: 2660000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory allocated: 8A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory allocated: 9A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory allocated: 9C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory allocated: AC80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory allocated: B090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory allocated: C090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory allocated: D090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory allocated: E090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory allocated: F090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory allocated: 10090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory allocated: 11090000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1490000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 3200000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 3070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory allocated: CA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory allocated: 26A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory allocated: 46A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory allocated: 83B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory allocated: 93B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory allocated: 95A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory allocated: A5A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory allocated: A980000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory allocated: B980000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory allocated: C980000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory allocated: D980000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory allocated: E980000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory allocated: F980000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory allocated: 10980000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1280000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 3100000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1620000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5741 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 948 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 1959 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 1656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 1207 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 3670 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe TID: 7528 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7908 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7832 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7956 Thread sleep count: 1959 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -99760s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7956 Thread sleep count: 1656 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -99431s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -99323s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -99190s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -99063s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -98938s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -98813s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -98703s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -98581s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -98453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -98344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -98232s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -98125s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -98016s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -97906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7932 Thread sleep time: -97797s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe TID: 7952 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3384 Thread sleep count: 1207 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3384 Thread sleep count: 3670 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -99762s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -99641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -99531s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -99391s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -99266s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -99156s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -99047s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -98937s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -98828s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -98719s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -98608s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -98469s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -98344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -98234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -98122s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -98007s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -97900s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -97782s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -97657s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -97532s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -97422s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -97313s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4136 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99760 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99431 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99323 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99190 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98581 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98232 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97797 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99762 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99391 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99266 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 99047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98608 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98122 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 98007 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97900 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97782 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97657 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97532 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 97313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: MSBuild.exe, 00000006.00000002.1698743369.0000000006510000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2889307573.00000000062B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe" Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1009008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: EFC008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XjmosAst.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp40BB.tmp" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XjmosAst" /XML "C:\Users\user\AppData\Local\Temp\tmp4EE4.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Queries volume information: C:\Users\user\AppData\Roaming\XjmosAst.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\XjmosAst.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1693905753.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2880157925.000000000317A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1690865441.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2880157925.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1658860263.0000000003819000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1693905753.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe PID: 7508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7840, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7196, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1690865441.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2880157925.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1658860263.0000000003819000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1693905753.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe PID: 7508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7840, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7196, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3854390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe.3819970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1693905753.0000000003250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2880157925.000000000317A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2880157925.000000000314E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1690865441.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2880157925.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1658860263.0000000003819000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1693905753.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe PID: 7508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7840, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7196, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466586 Sample: SecuriteInfo.com.TrojanLoad... Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 44 us2.smtp.mailhostbox.com 2->44 46 fp2e7a.wpc.phicdn.net 2->46 48 fp2e7a.wpc.2be4.phicdn.net 2->48 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Scheduled temp file as task from temp location 2->56 58 10 other signatures 2->58 8 SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.12946.7200.exe 7 2->8         started        12 XjmosAst.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\Roaming\XjmosAst.exe, PE32 8->36 dropped 38 C:\Users\...\XjmosAst.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp40BB.tmp, XML 8->40 dropped 42 SecuriteInfo.com.T....12946.7200.exe.log, ASCII 8->42 dropped 60 Uses schtasks.exe or at.exe to add and modify task schedules 8->60 62 Writes to foreign memory regions 8->62 64 Allocates memory in foreign processes 8->64 66 Adds a directory exclusion to Windows Defender 8->66 14 MSBuild.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 72 Injects a PE file into a foreign processes 12->72 22 MSBuild.exe 2 12->22         started        24 schtasks.exe 1 12->24         started        26 MSBuild.exe 12->26         started        signatures6 process7 dnsIp8 50 us2.smtp.mailhostbox.com 208.91.199.223, 49733, 49736, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->50 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->74 76 Loading BitLocker PowerShell Module 18->76 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->78 80 Tries to steal Mail credentials (via file / registry access) 22->80 82 Tries to harvest and steal ftp login credentials 22->82 84 Tries to harvest and steal browser information (history, passwords, etc) 22->84 34 conhost.exe 24->34         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.91.199.223
 us2.smtp.mailhostbox.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS true

Contacted Domains

Name IP Active
us2.smtp.mailhostbox.com 208.91.199.223 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true