Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe |
ReversingLabs: Detection: 29% |
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Virustotal: Detection: 21% |
Perma Link |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.9% probability |
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Joe Sandbox ML: detected |
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Static PE information: section name: .ro# |
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Static PE information: section name: .<G^ |
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Static PE information: section name: .[wS |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
File created: C:\Windows\license.id |
Jump to behavior |
Source: classification engine |
Classification label: mal84.evad.winEXE@2/2@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe |
ReversingLabs: Detection: 29% |
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Virustotal: Detection: 21% |
Source: unknown |
Process created: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe "C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe" |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Static file information: File size 18314240 > 1048576 |
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Static PE information: Raw size of .[wS is bigger than: 0x100000 < 0x113e600 |
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: initial sample |
Static PE information: section where entry point is pointing to: .[wS |
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Static PE information: section name: _RDATA |
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Static PE information: section name: .ro# |
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Static PE information: section name: .<G^ |
Source: SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Static PE information: section name: .[wS |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Code function: 0_3_0000019DE5714567 push es; iretd |
0_3_0000019DE5714602 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Code function: 0_3_0000019DE5712001 push es; ret |
0_3_0000019DE5712080 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Memory written: PID: 5640 base: 7FF8C8A50008 value: E9 EB D9 E9 FF |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Memory written: PID: 5640 base: 7FF8C88ED9F0 value: E9 20 26 16 00 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Memory written: PID: 5640 base: 7FF8C8A6000D value: E9 BB CB EB FF |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Memory written: PID: 5640 base: 7FF8C891CBC0 value: E9 5A 34 14 00 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Memory written: PID: 5640 base: 7FF8C8A70005 value: E9 CB 05 E5 FF |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Memory written: PID: 5640 base: 7FF8C88C05D0 value: E9 3A FA 1A 00 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Memory written: PID: 5640 base: 7FF8C8A80005 value: E9 9B 07 DF FF |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Memory written: PID: 5640 base: 7FF8C88707A0 value: E9 6A F8 20 00 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Memory written: PID: 5640 base: 7FF8C6F40007 value: E9 AB 11 E0 FF |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Memory written: PID: 5640 base: 7FF8C6D411B0 value: E9 5E EE 1F 00 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Memory written: PID: 5640 base: 7FF8C7010006 value: E9 BB 7F D0 FF |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Memory written: PID: 5640 base: 7FF8C6D17FC0 value: E9 4C 80 2F 00 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Memory written: PID: 5640 base: 7FF8C6560007 value: E9 CB E3 E3 FF |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Memory written: PID: 5640 base: 7FF8C639E3D0 value: E9 3E 1C 1C 00 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Memory written: PID: 5640 base: 7FF8C6570006 value: E9 AB 4D D3 FF |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Memory written: PID: 5640 base: 7FF8C62A4DB0 value: E9 5C B2 2C 00 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
System information queried: FirmwareTableInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
System information queried: FirmwareTableInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Special instruction interceptor: First address: 7FF7A6934E4B instructions rdtsc caused by: RDTSC with Trap Flag (TF) |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Special instruction interceptor: First address: 7FF7A6934E59 instructions rdtsc caused by: RDTSC with Trap Flag (TF) |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
System information queried: ModuleInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Handle closed: DEADC0DE |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Process queried: DebugObjectHandle |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Process queried: DebugObjectHandle |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Process queried: DebugObjectHandle |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtSetInformationThread: Direct from: 0x7FF7A5FB97A5 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtQuerySystemInformation: Direct from: 0x7FF7A690BBE9 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtQueryInformationProcess: Direct from: 0x7FF7A692AA7F |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtProtectVirtualMemory: Direct from: 0x7FF7A5D6517B |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtMapViewOfSection: Direct from: 0x7FF7A5FF7A12 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtSetInformationProcess: Direct from: 0x7FF7A5F90AF3 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtProtectVirtualMemory: Direct from: 0x7FF7A5D9EAC7 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtProtectVirtualMemory: Direct from: 0x7FF7A5D5102A |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtProtectVirtualMemory: Direct from: 0x7FF7A5D37729 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtProtectVirtualMemory: Indirect: 0x7FF7A5D1926B |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtProtectVirtualMemory: Direct from: 0x7FF7A691E611 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtProtectVirtualMemory: Direct from: 0x7FF7A5D69012 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtQueryInformationProcess: Direct from: 0x7FF7A5D688A4 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtProtectVirtualMemory: Direct from: 0x7FF7A6000E99 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtQuerySystemInformation: Direct from: 0x7FF7A5FA5352 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtQueryInformationProcess: Direct from: 0x7FF7A5D4D59D |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtProtectVirtualMemory: Direct from: 0x7FF7A5FAD723 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtQuerySystemInformation: Direct from: 0x7FF7A5E0FBE7 |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Riskware.Application.32484.16969.exe |
NtProtectVirtualMemory: Direct from: 0x7FF7A5D71273 |
Jump to behavior |