Windows Analysis Report
SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
Analysis ID: 1482926
MD5: 967175d3aa79388fd8e84ccbf0b998c7
SHA1: 9bb041c883354d306a22ea0faf9c8deecd9f14c0
SHA256: 4607e74d7d23628239d2bdfc8d57236c09778517f758323e13fc9ca4092c07a7
Tags: exe
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Avira: detected
Found malware configuration
Source: 00000004.00000002.3267531741.00000000029C1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "grafik@erkanlarofis.com.tr", "Password": "19261926+-", "Host": "mail.erkanlarofis.com.tr", "Port": "587"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Virustotal: Detection: 28% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49710 version: TLS 1.0
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: PHCd.pdbSHA256 source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
Source: Binary string: PHCd.pdb source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4x nop then jmp 06ADD0CFh 0_2_06ADD2A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4x nop then jmp 00FAF20Eh 4_2_00FAF01F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4x nop then jmp 00FAFB98h 4_2_00FAF01F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_00FAE540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_00FAEB73
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_00FAED54

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49730 -> 77.245.159.7:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: NIOBEBILISIMHIZMETLERITR NIOBEBILISIMHIZMETLERITR
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49730 -> 77.245.159.7:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49710 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: mail.erkanlarofis.com.tr
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A84000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A78000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B4D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A84000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.00000000029C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.orgp
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CB7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CA2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://erkanlarofis.com.tr
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CD8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CB7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002CA2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.erkanlarofis.com.tr
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A9D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2030808556.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.00000000029C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A84000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A84000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002A84000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B17000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B24000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33p
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 2924, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 2924, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 4040, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 4040, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_00874B00 0_2_00874B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_0087D5DC 0_2_0087D5DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_02677BB8 0_2_02677BB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_02670040 0_2_02670040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_02670013 0_2_02670013
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_02677BA8 0_2_02677BA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_06AD8420 0_2_06AD8420
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_06AD0400 0_2_06AD0400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_06AD03FF 0_2_06AD03FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_06AD03C8 0_2_06AD03C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_06AD7FE8 0_2_06AD7FE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_06AD9F00 0_2_06AD9F00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_06AD9AB8 0_2_06AD9AB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_06AD9AC8 0_2_06AD9AC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_06AD7BB0 0_2_06AD7BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_00FAF01F 4_2_00FAF01F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_00FAC190 4_2_00FAC190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_00FA6108 4_2_00FA6108
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_00FAB328 4_2_00FAB328
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_00FAC470 4_2_00FAC470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_00FAC751 4_2_00FAC751
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_00FA6730 4_2_00FA6730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_00FA9858 4_2_00FA9858
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_00FA4AD9 4_2_00FA4AD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_00FACA31 4_2_00FACA31
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_00FABBD2 4_2_00FABBD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_00FABEB0 4_2_00FABEB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_00FAB4F3 4_2_00FAB4F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_00FA3570 4_2_00FA3570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_00FAE540 4_2_00FAE540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_00FAE52F 4_2_00FAE52F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_05642E13 4_2_05642E13
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_05642E18 4_2_05642E18
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2029787310.000000000089E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2030808556.00000000026A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMML.dll2 vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2030808556.00000000026E6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2032585994.0000000006780000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2032456578.0000000005180000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMML.dll2 vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2031188002.000000000387E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000000.00000002.2033048840.00000000083F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXEe vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3264630620.0000000000422000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3265021892.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Binary or memory string: OriginalFilenamePHCd.exe: vs SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 2924, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 2924, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 4040, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 4040, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, lXmeKmPdTaDsuhOP4M.cs Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, lXmeKmPdTaDsuhOP4M.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, lXmeKmPdTaDsuhOP4M.cs Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, Se7yaxeobBMdUHx8Vi.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, Se7yaxeobBMdUHx8Vi.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, lXmeKmPdTaDsuhOP4M.cs Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, lXmeKmPdTaDsuhOP4M.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, lXmeKmPdTaDsuhOP4M.cs Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, lXmeKmPdTaDsuhOP4M.cs Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, lXmeKmPdTaDsuhOP4M.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, lXmeKmPdTaDsuhOP4M.cs Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, Se7yaxeobBMdUHx8Vi.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/6@3/3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.log Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Mutant created: \Sessions\1\BaseNamedObjects\tiqdbrBawfEtCyhplyRgDXJO
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2640:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_etzjvjg0.wmm.ps1 Jump to behavior
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C05000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3270967957.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3267531741.0000000002BF5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Virustotal: Detection: 28%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: PHCd.pdbSHA256 source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe
Source: Binary string: PHCd.pdb source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, frmMain.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, lXmeKmPdTaDsuhOP4M.cs .Net Code: yj6dS9kw0f System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, lXmeKmPdTaDsuhOP4M.cs .Net Code: yj6dS9kw0f System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.5180000.5.raw.unpack, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.5180000.5.raw.unpack, PingPong.cs .Net Code: Justy
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.26c7c54.0.raw.unpack, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.26c7c54.0.raw.unpack, PingPong.cs .Net Code: Justy
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, lXmeKmPdTaDsuhOP4M.cs .Net Code: yj6dS9kw0f System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_0267E130 push 08418B02h; ret 0_2_0267E143
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_0267E841 push 14418B02h; ret 0_2_0267E853
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_0267D238 push eax; iretd 0_2_0267D241
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_0267F090 push 1C418B02h; ret 0_2_0267F0A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_0267F421 push 20418B02h; ret 0_2_0267F413
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_0267DC20 push 08518902h; ret 0_2_0267DC33
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 0_2_06ADDC56 push es; ret 0_2_06ADDC58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Code function: 4_2_05641BE8 push eax; retf 4_2_05641BE9
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Static PE information: section name: .text entropy: 7.977489549607041
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, Ak4oG7NYOwJL1B3Iuo.cs High entropy of concatenated method names: 'Dispose', 'F0rhvYhSpS', 'BZKtaTFUoY', 'aBbCCwJkeg', 'gaih2xC1jV', 'KYjhzvxbsW', 'ProcessDialogKey', 'jPEteJWMNK', 'O0xthrh3OH', 'FcFttJXbhu'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, Pwpj4xKLD3kV8kZye0j.cs High entropy of concatenated method names: 'wPEWE6SbMT', 'uslWkxkB0r', 'hSrWSOUoa6', 'n4RW0nGPLj', 'vEUWbygdqZ', 'JSbWNHoIBn', 'Vy6WG9wceE', 'iHNWFShdT1', 'B9GW7ktRSW', 'BhZWT5TsKe'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, QQKot902G4vU2soPiv.cs High entropy of concatenated method names: 'Y9swFsy4uZ', 'WDWw73mMZv', 'oq4wyHojME', 'FL5wahq1uZ', 'nUwwqJfBR9', 'hkywr3sQQX', 'Maow59y7b6', 'JpAwVEjvUK', 'yGaw6emi4y', 'AdywAVICE5'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, fVqBTE5GN24nXcJ2Na.cs High entropy of concatenated method names: 'xmASv280U', 'Go40xB6Eh', 'EatNV6xUT', 'P2eGCEIcM', 'V9u79rU6F', 'r4KTM83qT', 'FgTiQiV2Ra2jAuMHGR', 'wDlSUsfffMW8lcUk99', 'O89xwP1pt', 'ahagBfkN3'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, lXmeKmPdTaDsuhOP4M.cs High entropy of concatenated method names: 'SwnYDvtalp', 'NIEYItfRNB', 'OUcYf5LTs7', 'GcCYO0Ll1i', 'u1PYnyDgOU', 'fyAYMbGDj5', 'XUNYUuS1iB', 'gnLYujx09I', 'EqkY3HZssa', 'YCpYP4PLt2'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, LKGBl8HqPCBQXSKmTW.cs High entropy of concatenated method names: 'FLC84FNOEw', 'iTJ82C93XZ', 'Ac8xeevVgg', 'cJVxh6qQvh', 'oRi8A1xxHV', 'mNw8KivQDA', 'zfn8Hgr5oo', 'XFJ8ixbuFp', 'uOf8X1vZxd', 'tBy8ZwbirW'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, Q534henmWuNmoyahwo.cs High entropy of concatenated method names: 'pufj6qFkDU', 'lZwjKEp5ug', 'CGUjiJO4yv', 'hNhjX6kGuL', 'wSCjavQyKK', 'IA9jJF0BT2', 'pshjqDZbdN', 'BjGjrU7E6Q', 'Px9jsrivpa', 'f1Lj534ylg'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, bbPsGWxoYJLfpZBGIC.cs High entropy of concatenated method names: 'm3fhUgYigO', 'btrhuvIqGx', 'mblhPuJtfn', 'giEhR2mI9O', 'A9XhjvrGJj', 'bljhouHeJQ', 'qFingUkohEIInRpeg4', 'WFTHoj6j8DU2oagbWC', 'sDlhhA2ptG', 'WxphY5Hl8L'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, YGEM2bi6LyVcTr1Cyx.cs High entropy of concatenated method names: 'oI4UIZ19Pk', 'TLUUOhxHAD', 'wFKUMpAEgc', 'ymHM2bSSI7', 'YRpMzowZSw', 'OMSUe9f5pW', 'YwcUhMEyrw', 'CtIUtlwO7T', 'rjRUYP2gLQ', 'Ei1Udf8VUY'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, Se7yaxeobBMdUHx8Vi.cs High entropy of concatenated method names: 'xlsfiruKIW', 'otofXgSOfo', 'MSefZjtCdT', 'l5VfcUHHVe', 'KqrfQHKqxe', 'vckfLKfQdl', 'h9rfmefTR8', 'ABVf4ofSFW', 'EIgfvXKmnO', 'xISf2C0jWG'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, kdj6WvMI01nxVHVla4.cs High entropy of concatenated method names: 'CaKO0Wpvww', 'G3iONL7mng', 'FhDOF2hJFU', 'kedO7DK5YY', 'VZZOji9Axe', 'uKOOo2T4nq', 'gETO8YeqCV', 'HYtOxjopyH', 'iq3OWTLGeg', 'pCKOgrlCLk'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, zXnonSyflm4XEq4w2O.cs High entropy of concatenated method names: 'dGPUEpH5oP', 'cGCUkL7MB2', 'pQjUSkQNcC', 'PdWU0vhcPd', 'WtXUbcogrh', 'gjDUNPRFBX', 'i46UGKe2i6', 'ckoUFUKZy4', 'vUgU7h5cbo', 'UGpUTkjotR'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, EH2RCFfeaNraoXmPh4.cs High entropy of concatenated method names: 'WXJxyC4fCR', 'DKdxaMmPhp', 'CY8xJYd0Hy', 'oJXxq0j0Ul', 'd5UxigqD5R', 'irWxrwtYeK', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, SWsSDUtWUdrnebBMgx.cs High entropy of concatenated method names: 'lD3Whn0Z1F', 'aspWYDoNO2', 'GX0WduC6Ll', 'IiNWIKeBNx', 'FHfWfv6pcS', 'VPUWn9Q7Pk', 'ahTWMAbqTB', 's4nxmcUmE8', 'YJIx4w0xnH', 'UwOxvS9TaP'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, VAFL6yzLyY66jhx7II.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sGkWwZ9arc', 'G1YWjmyMK8', 'kKAWo1IBMc', 'cvMW8wpQR6', 'VJYWxyr4NC', 'sqEWWMu0HG', 'v41Wg8bRgB'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, GCbAElUGA7WyejW7Zv.cs High entropy of concatenated method names: 'JafxIOnthq', 'JINxffbKro', 'KAuxOylFs1', 'uxWxnLC7WT', 'knbxM2iXXI', 'ha3xUls2WJ', 'XP0xu6VMLr', 'bxbx3SFssf', 'IejxP2pdKP', 'JFAxRIYVxq'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, KsKTQfhbw7oCRIK4yb.cs High entropy of concatenated method names: 'ioT8PxqKy7', 'LVf8RWoy9H', 'ToString', 'wk48I9gA0l', 'Tpq8f9eKLb', 'T6g8O1oplt', 'ygL8neeNHs', 'UXv8MsyTtu', 'Yuc8UtPYoa', 'hyD8uKIIdk'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.6780000.7.raw.unpack, OrhtwbropZ5iQ0Knjf.cs High entropy of concatenated method names: 'CAZMDJm2RU', 'pspMfoEE2O', 'x4LMnQS8in', 'gKKMU4ga3E', 'jHPMuRRmig', 'U06nQrojBJ', 'XEqnLBEXa3', 'Lrwnm8Mc8Q', 'E29n46N3U4', 'SXtnvTiVGP'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, Ak4oG7NYOwJL1B3Iuo.cs High entropy of concatenated method names: 'Dispose', 'F0rhvYhSpS', 'BZKtaTFUoY', 'aBbCCwJkeg', 'gaih2xC1jV', 'KYjhzvxbsW', 'ProcessDialogKey', 'jPEteJWMNK', 'O0xthrh3OH', 'FcFttJXbhu'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, Pwpj4xKLD3kV8kZye0j.cs High entropy of concatenated method names: 'wPEWE6SbMT', 'uslWkxkB0r', 'hSrWSOUoa6', 'n4RW0nGPLj', 'vEUWbygdqZ', 'JSbWNHoIBn', 'Vy6WG9wceE', 'iHNWFShdT1', 'B9GW7ktRSW', 'BhZWT5TsKe'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, QQKot902G4vU2soPiv.cs High entropy of concatenated method names: 'Y9swFsy4uZ', 'WDWw73mMZv', 'oq4wyHojME', 'FL5wahq1uZ', 'nUwwqJfBR9', 'hkywr3sQQX', 'Maow59y7b6', 'JpAwVEjvUK', 'yGaw6emi4y', 'AdywAVICE5'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, fVqBTE5GN24nXcJ2Na.cs High entropy of concatenated method names: 'xmASv280U', 'Go40xB6Eh', 'EatNV6xUT', 'P2eGCEIcM', 'V9u79rU6F', 'r4KTM83qT', 'FgTiQiV2Ra2jAuMHGR', 'wDlSUsfffMW8lcUk99', 'O89xwP1pt', 'ahagBfkN3'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, lXmeKmPdTaDsuhOP4M.cs High entropy of concatenated method names: 'SwnYDvtalp', 'NIEYItfRNB', 'OUcYf5LTs7', 'GcCYO0Ll1i', 'u1PYnyDgOU', 'fyAYMbGDj5', 'XUNYUuS1iB', 'gnLYujx09I', 'EqkY3HZssa', 'YCpYP4PLt2'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, LKGBl8HqPCBQXSKmTW.cs High entropy of concatenated method names: 'FLC84FNOEw', 'iTJ82C93XZ', 'Ac8xeevVgg', 'cJVxh6qQvh', 'oRi8A1xxHV', 'mNw8KivQDA', 'zfn8Hgr5oo', 'XFJ8ixbuFp', 'uOf8X1vZxd', 'tBy8ZwbirW'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, Q534henmWuNmoyahwo.cs High entropy of concatenated method names: 'pufj6qFkDU', 'lZwjKEp5ug', 'CGUjiJO4yv', 'hNhjX6kGuL', 'wSCjavQyKK', 'IA9jJF0BT2', 'pshjqDZbdN', 'BjGjrU7E6Q', 'Px9jsrivpa', 'f1Lj534ylg'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, bbPsGWxoYJLfpZBGIC.cs High entropy of concatenated method names: 'm3fhUgYigO', 'btrhuvIqGx', 'mblhPuJtfn', 'giEhR2mI9O', 'A9XhjvrGJj', 'bljhouHeJQ', 'qFingUkohEIInRpeg4', 'WFTHoj6j8DU2oagbWC', 'sDlhhA2ptG', 'WxphY5Hl8L'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, YGEM2bi6LyVcTr1Cyx.cs High entropy of concatenated method names: 'oI4UIZ19Pk', 'TLUUOhxHAD', 'wFKUMpAEgc', 'ymHM2bSSI7', 'YRpMzowZSw', 'OMSUe9f5pW', 'YwcUhMEyrw', 'CtIUtlwO7T', 'rjRUYP2gLQ', 'Ei1Udf8VUY'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, Se7yaxeobBMdUHx8Vi.cs High entropy of concatenated method names: 'xlsfiruKIW', 'otofXgSOfo', 'MSefZjtCdT', 'l5VfcUHHVe', 'KqrfQHKqxe', 'vckfLKfQdl', 'h9rfmefTR8', 'ABVf4ofSFW', 'EIgfvXKmnO', 'xISf2C0jWG'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, kdj6WvMI01nxVHVla4.cs High entropy of concatenated method names: 'CaKO0Wpvww', 'G3iONL7mng', 'FhDOF2hJFU', 'kedO7DK5YY', 'VZZOji9Axe', 'uKOOo2T4nq', 'gETO8YeqCV', 'HYtOxjopyH', 'iq3OWTLGeg', 'pCKOgrlCLk'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, zXnonSyflm4XEq4w2O.cs High entropy of concatenated method names: 'dGPUEpH5oP', 'cGCUkL7MB2', 'pQjUSkQNcC', 'PdWU0vhcPd', 'WtXUbcogrh', 'gjDUNPRFBX', 'i46UGKe2i6', 'ckoUFUKZy4', 'vUgU7h5cbo', 'UGpUTkjotR'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, EH2RCFfeaNraoXmPh4.cs High entropy of concatenated method names: 'WXJxyC4fCR', 'DKdxaMmPhp', 'CY8xJYd0Hy', 'oJXxq0j0Ul', 'd5UxigqD5R', 'irWxrwtYeK', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, SWsSDUtWUdrnebBMgx.cs High entropy of concatenated method names: 'lD3Whn0Z1F', 'aspWYDoNO2', 'GX0WduC6Ll', 'IiNWIKeBNx', 'FHfWfv6pcS', 'VPUWn9Q7Pk', 'ahTWMAbqTB', 's4nxmcUmE8', 'YJIx4w0xnH', 'UwOxvS9TaP'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, VAFL6yzLyY66jhx7II.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sGkWwZ9arc', 'G1YWjmyMK8', 'kKAWo1IBMc', 'cvMW8wpQR6', 'VJYWxyr4NC', 'sqEWWMu0HG', 'v41Wg8bRgB'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, GCbAElUGA7WyejW7Zv.cs High entropy of concatenated method names: 'JafxIOnthq', 'JINxffbKro', 'KAuxOylFs1', 'uxWxnLC7WT', 'knbxM2iXXI', 'ha3xUls2WJ', 'XP0xu6VMLr', 'bxbx3SFssf', 'IejxP2pdKP', 'JFAxRIYVxq'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, KsKTQfhbw7oCRIK4yb.cs High entropy of concatenated method names: 'ioT8PxqKy7', 'LVf8RWoy9H', 'ToString', 'wk48I9gA0l', 'Tpq8f9eKLb', 'T6g8O1oplt', 'ygL8neeNHs', 'UXv8MsyTtu', 'Yuc8UtPYoa', 'hyD8uKIIdk'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.39b61d0.3.raw.unpack, OrhtwbropZ5iQ0Knjf.cs High entropy of concatenated method names: 'CAZMDJm2RU', 'pspMfoEE2O', 'x4LMnQS8in', 'gKKMU4ga3E', 'jHPMuRRmig', 'U06nQrojBJ', 'XEqnLBEXa3', 'Lrwnm8Mc8Q', 'E29n46N3U4', 'SXtnvTiVGP'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, Ak4oG7NYOwJL1B3Iuo.cs High entropy of concatenated method names: 'Dispose', 'F0rhvYhSpS', 'BZKtaTFUoY', 'aBbCCwJkeg', 'gaih2xC1jV', 'KYjhzvxbsW', 'ProcessDialogKey', 'jPEteJWMNK', 'O0xthrh3OH', 'FcFttJXbhu'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, Pwpj4xKLD3kV8kZye0j.cs High entropy of concatenated method names: 'wPEWE6SbMT', 'uslWkxkB0r', 'hSrWSOUoa6', 'n4RW0nGPLj', 'vEUWbygdqZ', 'JSbWNHoIBn', 'Vy6WG9wceE', 'iHNWFShdT1', 'B9GW7ktRSW', 'BhZWT5TsKe'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, QQKot902G4vU2soPiv.cs High entropy of concatenated method names: 'Y9swFsy4uZ', 'WDWw73mMZv', 'oq4wyHojME', 'FL5wahq1uZ', 'nUwwqJfBR9', 'hkywr3sQQX', 'Maow59y7b6', 'JpAwVEjvUK', 'yGaw6emi4y', 'AdywAVICE5'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, fVqBTE5GN24nXcJ2Na.cs High entropy of concatenated method names: 'xmASv280U', 'Go40xB6Eh', 'EatNV6xUT', 'P2eGCEIcM', 'V9u79rU6F', 'r4KTM83qT', 'FgTiQiV2Ra2jAuMHGR', 'wDlSUsfffMW8lcUk99', 'O89xwP1pt', 'ahagBfkN3'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, lXmeKmPdTaDsuhOP4M.cs High entropy of concatenated method names: 'SwnYDvtalp', 'NIEYItfRNB', 'OUcYf5LTs7', 'GcCYO0Ll1i', 'u1PYnyDgOU', 'fyAYMbGDj5', 'XUNYUuS1iB', 'gnLYujx09I', 'EqkY3HZssa', 'YCpYP4PLt2'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, LKGBl8HqPCBQXSKmTW.cs High entropy of concatenated method names: 'FLC84FNOEw', 'iTJ82C93XZ', 'Ac8xeevVgg', 'cJVxh6qQvh', 'oRi8A1xxHV', 'mNw8KivQDA', 'zfn8Hgr5oo', 'XFJ8ixbuFp', 'uOf8X1vZxd', 'tBy8ZwbirW'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, Q534henmWuNmoyahwo.cs High entropy of concatenated method names: 'pufj6qFkDU', 'lZwjKEp5ug', 'CGUjiJO4yv', 'hNhjX6kGuL', 'wSCjavQyKK', 'IA9jJF0BT2', 'pshjqDZbdN', 'BjGjrU7E6Q', 'Px9jsrivpa', 'f1Lj534ylg'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, bbPsGWxoYJLfpZBGIC.cs High entropy of concatenated method names: 'm3fhUgYigO', 'btrhuvIqGx', 'mblhPuJtfn', 'giEhR2mI9O', 'A9XhjvrGJj', 'bljhouHeJQ', 'qFingUkohEIInRpeg4', 'WFTHoj6j8DU2oagbWC', 'sDlhhA2ptG', 'WxphY5Hl8L'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, YGEM2bi6LyVcTr1Cyx.cs High entropy of concatenated method names: 'oI4UIZ19Pk', 'TLUUOhxHAD', 'wFKUMpAEgc', 'ymHM2bSSI7', 'YRpMzowZSw', 'OMSUe9f5pW', 'YwcUhMEyrw', 'CtIUtlwO7T', 'rjRUYP2gLQ', 'Ei1Udf8VUY'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, Se7yaxeobBMdUHx8Vi.cs High entropy of concatenated method names: 'xlsfiruKIW', 'otofXgSOfo', 'MSefZjtCdT', 'l5VfcUHHVe', 'KqrfQHKqxe', 'vckfLKfQdl', 'h9rfmefTR8', 'ABVf4ofSFW', 'EIgfvXKmnO', 'xISf2C0jWG'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, kdj6WvMI01nxVHVla4.cs High entropy of concatenated method names: 'CaKO0Wpvww', 'G3iONL7mng', 'FhDOF2hJFU', 'kedO7DK5YY', 'VZZOji9Axe', 'uKOOo2T4nq', 'gETO8YeqCV', 'HYtOxjopyH', 'iq3OWTLGeg', 'pCKOgrlCLk'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, zXnonSyflm4XEq4w2O.cs High entropy of concatenated method names: 'dGPUEpH5oP', 'cGCUkL7MB2', 'pQjUSkQNcC', 'PdWU0vhcPd', 'WtXUbcogrh', 'gjDUNPRFBX', 'i46UGKe2i6', 'ckoUFUKZy4', 'vUgU7h5cbo', 'UGpUTkjotR'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, EH2RCFfeaNraoXmPh4.cs High entropy of concatenated method names: 'WXJxyC4fCR', 'DKdxaMmPhp', 'CY8xJYd0Hy', 'oJXxq0j0Ul', 'd5UxigqD5R', 'irWxrwtYeK', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, SWsSDUtWUdrnebBMgx.cs High entropy of concatenated method names: 'lD3Whn0Z1F', 'aspWYDoNO2', 'GX0WduC6Ll', 'IiNWIKeBNx', 'FHfWfv6pcS', 'VPUWn9Q7Pk', 'ahTWMAbqTB', 's4nxmcUmE8', 'YJIx4w0xnH', 'UwOxvS9TaP'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, VAFL6yzLyY66jhx7II.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sGkWwZ9arc', 'G1YWjmyMK8', 'kKAWo1IBMc', 'cvMW8wpQR6', 'VJYWxyr4NC', 'sqEWWMu0HG', 'v41Wg8bRgB'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, GCbAElUGA7WyejW7Zv.cs High entropy of concatenated method names: 'JafxIOnthq', 'JINxffbKro', 'KAuxOylFs1', 'uxWxnLC7WT', 'knbxM2iXXI', 'ha3xUls2WJ', 'XP0xu6VMLr', 'bxbx3SFssf', 'IejxP2pdKP', 'JFAxRIYVxq'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, KsKTQfhbw7oCRIK4yb.cs High entropy of concatenated method names: 'ioT8PxqKy7', 'LVf8RWoy9H', 'ToString', 'wk48I9gA0l', 'Tpq8f9eKLb', 'T6g8O1oplt', 'ygL8neeNHs', 'UXv8MsyTtu', 'Yuc8UtPYoa', 'hyD8uKIIdk'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3a17df0.1.raw.unpack, OrhtwbropZ5iQ0Knjf.cs High entropy of concatenated method names: 'CAZMDJm2RU', 'pspMfoEE2O', 'x4LMnQS8in', 'gKKMU4ga3E', 'jHPMuRRmig', 'U06nQrojBJ', 'XEqnLBEXa3', 'Lrwnm8Mc8Q', 'E29n46N3U4', 'SXtnvTiVGP'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 2924, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Memory allocated: 870000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Memory allocated: 26A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Memory allocated: C20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Memory allocated: 84A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Memory allocated: 94A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Memory allocated: 9690000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Memory allocated: A690000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Memory allocated: FA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Memory allocated: 29C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Memory allocated: 49C0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 599657 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 598938 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 598704 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 598579 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 598454 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 598336 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 598094 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596993 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596875 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596766 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596641 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596532 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596407 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596297 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596188 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596063 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 595938 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 595813 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 595688 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 595344 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 594110 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5753 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4012 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Window / User API: threadDelayed 8704 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Window / User API: threadDelayed 1119 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 2076 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5304 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -26747778906878833s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 5880 Thread sleep count: 8704 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 5880 Thread sleep count: 1119 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -599657s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -599532s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -599422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -599188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -599063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -598938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -598813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -598704s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -598579s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -598454s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -598336s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -598219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -598094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -597985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -597860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -597735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -597610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -597485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -597360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -597235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -597110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -596993s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -596875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -596766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -596641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -596532s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -596407s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -596297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -596188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -596063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -595938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -595813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -595688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -595578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -595469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -595344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -595235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -595110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -594985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -594860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -594735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -594610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -594485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -594360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -594235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe TID: 6164 Thread sleep time: -594110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 599657 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 598938 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 598704 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 598579 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 598454 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 598336 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 598094 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596993 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596875 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596766 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596641 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596532 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596407 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596297 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596188 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 596063 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 595938 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 595813 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 595688 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 595344 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Thread delayed: delay time: 594110 Jump to behavior
Source: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe, 00000004.00000002.3265830469.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.3267531741.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3267531741.0000000002B89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3267531741.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 2924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 4040, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3726d30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe.3706b10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.3267531741.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3264630620.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3267531741.0000000002B89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2031188002.0000000003706000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3267531741.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 2924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe PID: 4040, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482926 Sample: SecuriteInfo.com.Win32.RATX... Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 24 reallyfreegeoip.org 2->24 26 mail.erkanlarofis.com.tr 2->26 28 3 other IPs or domains 2->28 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 44 8 other signatures 2->44 8 SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe 4 2->8         started        signatures3 42 Tries to detect the country of the analysis system (by using the IP) 24->42 process4 file5 22 SecuriteInfo.com.W...20281.29649.exe.log, ASCII 8->22 dropped 46 Adds a directory exclusion to Windows Defender 8->46 48 Injects a PE file into a foreign processes 8->48 12 SecuriteInfo.com.Win32.RATX-gen.20281.29649.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        signatures6 process7 dnsIp8 30 erkanlarofis.com.tr 77.245.159.7, 49730, 49731, 49732 NIOBEBILISIMHIZMETLERITR Turkey 12->30 32 reallyfreegeoip.org 188.114.97.3, 443, 49710, 49711 CLOUDFLARENETUS European Union 12->32 34 checkip.dyndns.com 158.101.44.242, 49706, 49712, 49714 ORACLE-BMC-31898US United States 12->34 50 Tries to steal Mail credentials (via file / registry access) 12->50 52 Tries to harvest and steal browser information (history, passwords, etc) 12->52 54 Loading BitLocker PowerShell Module 16->54 18 WmiPrvSE.exe 16->18         started        20 conhost.exe 16->20         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
77.245.159.7
 erkanlarofis.com.tr Turkey
42868 NIOBEBILISIMHIZMETLERITR true

Contacted Domains

Name IP Active
erkanlarofis.com.tr 77.245.159.7 true
reallyfreegeoip.org 188.114.97.3 true
checkip.dyndns.com 158.101.44.242 true
mail.erkanlarofis.com.tr unknown unknown
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • URL Reputation: safe
 unknown