Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.12585.5759.exe

Overview

General Information

Sample name:SecuriteInfo.com.FileRepMalware.12585.5759.exe
Analysis ID:1543470
MD5:3bc5f7f06970652d8366435fc582243e
SHA1:98d7dee8de0e304695f91f90c0f81ab8b0f49eed
SHA256:a28656f4c0dfba2848fd7840e2cf02cb9013bfa64431c18c94abe0c19f88754f
Tags:exe
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
AI detected suspicious sample
Changes the view of files in windows explorer (hidden files and folders)
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Modifies power options to not sleep / hibernate
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Uses powercfg.exe to modify the power settings
Abnormal high CPU Usage
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.FileRepMalware.12585.5759.exe (PID: 1848 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exe" MD5: 3BC5F7F06970652D8366435FC582243E)
    • cmd.exe (PID: 5260 cmdline: cmd /C sc stop bam MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 2284 cmdline: sc stop bam MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 5632 cmdline: cmd /C SC CONFIG "bam" START= DISABLED MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 6204 cmdline: SC CONFIG "bam" START= DISABLED MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • cmd.exe (PID: 1900 cmdline: cmd /C fsutil behavior set DisableLastAccess 3 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • fsutil.exe (PID: 6220 cmdline: fsutil behavior set DisableLastAccess 3 MD5: DE00EDA7134D3365E6074700E3008CAD)
    • cmd.exe (PID: 5264 cmdline: C:\Windows\system32\cmd.exe /C powercfg /hibernate off MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6760 cmdline: powercfg /hibernate off MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • cmd.exe (PID: 2128 cmdline: C:\Windows\system32\cmd.exe /C powercfg /x -hibernate-timeout-ac 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 5300 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • cmd.exe (PID: 6472 cmdline: C:\Windows\system32\cmd.exe /C powercfg /x -hibernate-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 4764 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • cmd.exe (PID: 5784 cmdline: C:\Windows\system32\cmd.exe /C powercfg /x -disk-timeout-ac 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 1128 cmdline: powercfg /x -disk-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • cmd.exe (PID: 7056 cmdline: C:\Windows\system32\cmd.exe /C powercfg /x -disk-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6844 cmdline: powercfg /x -disk-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • cmd.exe (PID: 6284 cmdline: C:\Windows\system32\cmd.exe /C powercfg /x -standby-timeout-ac 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6324 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • cmd.exe (PID: 1088 cmdline: C:\Windows\system32\cmd.exe /C powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powercfg.exe (PID: 6444 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
    • w32tm.exe (PID: 2200 cmdline: w32tm /resync MD5: 81A82132737224D324A3E8DA993E2FB5)
      • conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 3692 cmdline: taskkill /F /IM agent.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • conhost.exe (PID: 6020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 1900 cmdline: taskkill /F /IM battle.net.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exeAvira: detected
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
Source: unknownHTTPS traffic detected: 57.129.0.22:443 -> 192.168.2.5:49866 version: TLS 1.2
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: reported.lol
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2582039404.000001A67205A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575123868.000001A674555000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2576104094.000001A6745D2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575191082.000001A6746F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575503275.000001A6746F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2567011110.000001A67445A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2566337593.000001A674501000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0RobotoLight
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2576260212.000001A67481A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0RobotoMedium
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2565914201.000001A6745A8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2566337593.000001A674501000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0RobotoThin
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2569629019.000001A67205A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575225773.000001A672059000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0en-us
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575723651.000001A672059000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0eserved.
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2582119199.000001A67205A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2581966011.000001A67205A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2582267384.000001A67205A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2581850626.000001A67205A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2582039404.000001A67205A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0us
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575301669.000001A672059000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0v
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575256547.000001A672059000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0ved.
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575225773.000001A672059000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575256547.000001A672059000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0ved..0
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671D08000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/vs/16/release/vc_redist.x64.exe
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/e/up-d
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671EC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reported.lol/#pricing
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reported.lol/discord
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4550183597.000000760C1F4000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4550427979.000001A66FBA9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671D08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reported.lol/spf.exe
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671D08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reported.lol/spf.exe9
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4550427979.000001A66FBA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reported.lol/spf.exen
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4550427979.000001A66FBA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reported.lol/spf.exep
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4550183597.000000760C1F4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://reported.lol/spf.exes#
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671EC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reported.lol/troubleshooting/#usage
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4550427979.000001A66FBA9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671D08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reported.lol/version.txt
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4550427979.000001A66FBA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reported.lol/version.txt.
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671D08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reported.lol/version.txtw
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/ve/u
Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866
Source: unknownHTTPS traffic detected: 57.129.0.22:443 -> 192.168.2.5:49866 version: TLS 1.2

System Summary

barindex
PE file contains section with special chars
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exeStatic PE information: section name: .&;O
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exeStatic PE information: section name: .~cc
Uses powercfg.exe to modify the power settings
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /hibernate off
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess Stats: CPU usage > 49%
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exeStatic PE information: Number of sections : 12 > 10
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000000.2087941037.00007FF68FE71000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamespf.exe8 vs SecuriteInfo.com.FileRepMalware.12585.5759.exe
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2569629019.000001A67205A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2582119199.000001A67205A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2578915184.000001A67205A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575301669.000001A672059000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2581966011.000001A67205A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2582267384.000001A67205A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2576738561.000001A67205A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575225773.000001A672059000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: to is a trademark of Google.slnt
Source: classification engineClassification label: mal100.spyw.evad.winEXE@59/1@1/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeFile created: C:\Users\user\Desktop\spoofer-config.jsonJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3140:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5752:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3572:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5488:120:WilError_03
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "battle.net.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "agent.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "battle.net.exe")
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe cmd /C sc stop bam
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bam
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe cmd /C SC CONFIG "bam" START= DISABLED
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe SC CONFIG "bam" START= DISABLED
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe cmd /C fsutil behavior set DisableLastAccess 3
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fsutil.exe fsutil behavior set DisableLastAccess 3
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C powercfg /hibernate off
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /hibernate off
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C powercfg /x -disk-timeout-ac 0
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -disk-timeout-ac 0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C powercfg /x -disk-timeout-dc 0
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -disk-timeout-dc 0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /resync
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM agent.exe
Source: C:\Windows\System32\w32tm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM battle.net.exe
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe cmd /C sc stop bamJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe cmd /C SC CONFIG "bam" START= DISABLEDJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe cmd /C fsutil behavior set DisableLastAccess 3Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C powercfg /hibernate offJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C powercfg /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C powercfg /x -hibernate-timeout-dc 0Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C powercfg /x -disk-timeout-ac 0Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C powercfg /x -disk-timeout-dc 0Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C powercfg /x -standby-timeout-ac 0Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C powercfg /x -standby-timeout-dc 0Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /resyncJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM agent.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\cmd.exe cmd /C fsutil behavior set DisableLastAccess 3Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bamJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe SC CONFIG "bam" START= DISABLEDJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fsutil.exe fsutil behavior set DisableLastAccess 3Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /hibernate offJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -disk-timeout-ac 0Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -disk-timeout-dc 0Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: tbs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: slwga.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: mscms.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: coloradapterclient.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: icm32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSection loaded: icu.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exeStatic file information: File size 78622208 > 1048576
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exeStatic PE information: Raw size of .~cc is bigger than: 0x100000 < 0x4af6c00
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: initial sampleStatic PE information: section where entry point is pointing to: .~cc
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exeStatic PE information: section name: .detourc
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exeStatic PE information: section name: .detourd
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exeStatic PE information: section name: .sysc
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exeStatic PE information: section name: .&;O
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exeStatic PE information: section name: .wQl
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exeStatic PE information: section name: .~cc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeCode function: 0_2_000000760C1FF862 push ss; ret 0_2_000000760C1FF872
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeCode function: 0_2_000000760C1FCA40 push eax; retf 0_2_000000760C1FCA41
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeCode function: 0_2_000000760C1FCEA8 push eax; iretd 0_2_000000760C1FCEA9
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bam

Hooking and other Techniques for Hiding and Protection

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced Start_TrackProgsJump to behavior
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeMemory written: PID: 1848 base: 7FF8C8A5000D value: E9 BB CB EC FF Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeMemory written: PID: 1848 base: 7FF8C891CBC0 value: E9 5A 34 13 00 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive WHERE InterfaceType&lt;&gt;&apos;USB&apos;
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter WHERE PhysicalAdapter=1 AND (AdapterTypeID=0 OR AdapterTypeID=9) AND NOT (ServiceName LIKE &apos;tap-%&apos; OR ServiceName LIKE &apos;vmnet%&apos; OR ServiceName LIKE &apos;vmware%&apos; OR ServiceName LIKE &apos;virtual%&apos; OR ServiceName LIKE &apos;vbox%&apos; OR ServiceName LIKE &apos;WAN Miniport%&apos; OR ServiceName LIKE &apos;kdnet%&apos; OR ServiceName LIKE &apos;bluetooth%&apos; OR ServiceName LIKE &apos;xbox%&apos; OR PNPDeviceID LIKE &apos;%BTH%&apos; OR PNPDeviceID LIKE &apos;%USB%&apos; OR MACAddress LIKE &apos;00:00%&apos; OR MACAddress LIKE &apos;00:FF%&apos;)
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSystem information queried: FirmwareTableInformationJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671EC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *CFF EXPLORER.EXE*
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671EC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *CFF EXPLORER.EXE*T
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B35CE9F second address: 7FF68B35CEB7 instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 mov dword ptr [esp+20h], ebp 0x00000007 lahf 0x00000008 dec eax 0x00000009 mov eax, dword ptr [esp+20h] 0x0000000d movzx edx, dx 0x00000010 mov dx, 950Ch 0x00000014 dec eax 0x00000015 mov dword ptr [ebp-18h], eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B35D258 second address: 7FF68B35D2A3 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 arpl di, dx 0x00000005 dec eax 0x00000006 mov eax, AA40D7AFh 0x0000000b call far BF0Fh : 4114B9BFh 0x00000012 retf 0x00000013 not dx 0x00000016 dec eax 0x00000017 mov dword ptr [esp+20h], eax 0x0000001b dec eax 0x0000001c mov eax, dword ptr [esp+20h] 0x00000020 inc cx 0x00000022 movzx ecx, ah 0x00000025 dec eax 0x00000026 mov dword ptr [ebp+30h], eax 0x00000029 dec eax 0x0000002a mov eax, 95C2F027h 0x0000002f call 00007FD54DA59F65h 0x00000034 mov dword ptr [esp+20h], eax 0x00000038 cwde 0x00000039 bswap dx 0x0000003c dec eax 0x0000003d mov eax, dword ptr [esp+20h] 0x00000041 dec eax 0x00000042 movzx ecx, cx 0x00000045 bswap ecx 0x00000047 dec eax 0x00000048 mov dword ptr [ebp+38h], eax 0x0000004b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B35D69A second address: 7FF68B35D6E3 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov dword ptr [esp+20h], ecx 0x00000007 dec eax 0x00000008 mov eax, dword ptr [esp+20h] 0x0000000c dec eax 0x0000000d mov dword ptr [ebp+00000088h], eax 0x00000013 dec eax 0x00000014 movsx eax, si 0x00000017 inc ecx 0x00000018 movsx edx, sp 0x0000001b dec eax 0x0000001c xchg eax, edx 0x0000001d dec eax 0x0000001e mov dword ptr [esp+20h], edi 0x00000022 dec eax 0x00000023 mov eax, dword ptr [esp+20h] 0x00000027 cwd 0x00000029 dec eax 0x0000002a movsx edx, cx 0x0000002d inc ax 0x0000002f movsx edx, ah 0x00000032 dec eax 0x00000033 mov dword ptr [ebp+00000F70h], eax 0x00000039 cwde 0x0000003a jmp 00007FD5050AEBCAh 0x0000003f dec eax 0x00000040 mov dword ptr [esp+20h], ecx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B35D83E second address: 7FF68B35D8B6 instructions: 0x00000000 rdtsc 0x00000002 not dx 0x00000005 dec eax 0x00000006 mov eax, B444E9AFh 0x0000000b xchg eax, ecx 0x0000000c scasd 0x0000000d stosb 0x0000000e insb 0x0000000f dec eax 0x00000010 arpl bp, dx 0x00000012 cdq 0x00000013 jmp 00007FD505072345h 0x00000018 dec eax 0x00000019 mov dword ptr [esp+20h], eax 0x0000001d cwde 0x0000001e cdq 0x0000001f dec eax 0x00000020 mov eax, dword ptr [esp+20h] 0x00000024 dec eax 0x00000025 movsx ecx, sp 0x00000028 inc ecx 0x00000029 mov edx, edi 0x0000002b dec eax 0x0000002c mov dword ptr [ebp+000000A0h], eax 0x00000032 lahf 0x00000033 movsx eax, bp 0x00000036 dec eax 0x00000037 mov ecx, 95E8B362h 0x0000003c call 00007FD54DA59F65h 0x00000041 mov dword ptr [esp+20h], ecx 0x00000045 dec eax 0x00000046 cwde 0x00000047 mov dl, 92h 0x00000049 movsx eax, ax 0x0000004c dec eax 0x0000004d mov eax, dword ptr [esp+20h] 0x00000051 dec eax 0x00000052 mov dword ptr [ebp+000000A8h], eax 0x00000058 inc ecx 0x00000059 movsx edx, bx 0x0000005c dec eax 0x0000005d cdq 0x0000005e dec eax 0x0000005f mov eax, DA2D9E85h 0x00000064 cmc 0x00000065 int CDh 0x00000067 inc esi 0x00000068 dec ecx 0x00000069 movzx edx, cx 0x0000006c jmp 00007FD505072347h 0x00000071 dec eax 0x00000072 mov dword ptr [esp+20h], eax 0x00000076 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B35DA32 second address: 7FF68B35DAC2 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov eax, 9C6BDDAFh 0x00000008 aad 88h 0x0000000a mov ch, 36h 0x0000000c not dl 0x0000000e inc ax 0x00000010 movzx edx, ch 0x00000013 cwd 0x00000015 dec eax 0x00000016 mov dword ptr [esp+20h], eax 0x0000001a inc ax 0x0000001c movsx edx, bh 0x0000001f dec eax 0x00000020 mov eax, dword ptr [esp+20h] 0x00000024 dec ecx 0x00000025 arpl cx, dx 0x00000027 not dx 0x0000002a dec eax 0x0000002b mov dword ptr [ebp+00000410h], eax 0x00000031 dec eax 0x00000032 mov eax, F09ADC0Eh 0x00000037 call far D363h : 48E6190Eh 0x0000003e xchg dh, dl 0x00000040 dec eax 0x00000041 mov dword ptr [esp+20h], eax 0x00000045 dec eax 0x00000046 bswap eax 0x00000048 cbw 0x0000004a dec eax 0x0000004b mov eax, dword ptr [esp+20h] 0x0000004f dec eax 0x00000050 movzx ecx, bx 0x00000053 dec eax 0x00000054 mov dword ptr [ebp+00000418h], eax 0x0000005a dec eax 0x0000005b cdq 0x0000005c dec eax 0x0000005d mov ecx, ebp 0x0000005f not ax 0x00000062 dec eax 0x00000063 mov eax, 1562FC02h
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B35DAC2 second address: 7FF68B35DB36 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 xchg eax, edx 0x00000004 dec esp 0x00000005 mov dword ptr [esp+20h], esi 0x00000009 cwde 0x0000000a cbw 0x0000000c dec eax 0x0000000d mov eax, dword ptr [esp+20h] 0x00000011 jmp 00007FD50507234Bh 0x00000016 dec eax 0x00000017 mov dword ptr [ebp+00000428h], eax 0x0000001d cwde 0x0000001e dec eax 0x0000001f mov eax, DA2D9E85h 0x00000024 cmc 0x00000025 int CDh 0x00000027 inc esi 0x00000028 dec eax 0x00000029 movsx edx, di 0x0000002c inc ax 0x0000002e movsx ecx, bh 0x00000031 dec eax 0x00000032 cdq 0x00000033 dec eax 0x00000034 mov dword ptr [esp+20h], eax 0x00000038 mov ax, bp 0x0000003b dec eax 0x0000003c mov eax, dword ptr [esp+20h] 0x00000040 dec eax 0x00000041 mov dword ptr [ebp+00000F70h], eax 0x00000047 dec eax 0x00000048 mov eax, 95E8B362h 0x0000004d call 00007FD56BA59F65h 0x00000052 cdq 0x00000053 dec eax 0x00000054 mov dword ptr [esp+20h], eax 0x00000058 bswap ax 0x0000005b cdq 0x0000005c dec eax 0x0000005d mov eax, dword ptr [esp+20h] 0x00000061 cdq 0x00000062 dec eax 0x00000063 mov dword ptr [ebp+00000F78h], eax 0x00000069 dec esp 0x0000006a mov dword ptr [esp+20h], edi 0x0000006e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B35DD06 second address: 7FF68B35DD17 instructions: 0x00000000 rdtsc 0x00000002 inc cx 0x00000004 cmove edx, ebp 0x00000007 dec eax 0x00000008 mov ecx, 95E8B362h 0x0000000d call 00007FD514A967E5h
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B35DD17 second address: 7FF68B35DD4B instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov dword ptr [esp+20h], ecx 0x00000007 bswap ax 0x0000000a dec eax 0x0000000b mov eax, dword ptr [esp+20h] 0x0000000f dec eax 0x00000010 bswap edx 0x00000012 dec eax 0x00000013 mov dword ptr [ebp+000000D8h], eax 0x00000019 movsx dx, ch 0x0000001d inc ecx 0x0000001e movsx edx, bp 0x00000021 mov ah, FFFFFFA1h 0x00000024 dec eax 0x00000025 mov eax, DA2D9E85h 0x0000002a cmc 0x0000002b int CDh 0x0000002d inc esi 0x0000002e cdq 0x0000002f dec eax 0x00000030 mov dword ptr [esp+20h], eax 0x00000034 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B35E001 second address: 7FF68B35E032 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov dword ptr [esp+20h], edi 0x00000007 inc ecx 0x00000008 movzx ecx, si 0x0000000b mov cx, ax 0x0000000e dec eax 0x0000000f mov eax, dword ptr [esp+20h] 0x00000013 cmovns dx, bp 0x00000017 dec eax 0x00000018 mov dword ptr [ebp+00000F70h], eax 0x0000001e cbw 0x00000020 dec eax 0x00000021 mov eax, 95E8B362h 0x00000026 call 00007FD4B6A967E5h 0x0000002b or ecx, dword ptr [eax-77h] 0x0000002e inc esp 0x0000002f and al, 20h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B35E3BE second address: 7FF68B35E3F7 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov dword ptr [esp+20h], edi 0x00000007 jmp 00007FD50507234Ah 0x0000000c dec eax 0x0000000d mov eax, dword ptr [esp+20h] 0x00000011 dec eax 0x00000012 cdq 0x00000013 dec eax 0x00000014 mov dword ptr [ebp+00000F70h], eax 0x0000001a cdq 0x0000001b dec eax 0x0000001c mov eax, 95E8B362h 0x00000021 call 00007FD54EA59F65h 0x00000026 movsx ecx, dx 0x00000029 cwd 0x0000002b dec eax 0x0000002c cdq 0x0000002d dec eax 0x0000002e mov dword ptr [esp+20h], eax 0x00000032 dec eax 0x00000033 cwde 0x00000034 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B35EF7F second address: 7FF68B35EF98 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov eax, A944D2AFh 0x00000008 or dword ptr [ecx-6699F57Fh], 0F48D2F6h 0x00000012 mov bh, C8h 0x00000014 dec eax 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B36010C second address: 7FF68B36014A instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov eax, B444C9AFh 0x00000008 xchg eax, ecx 0x00000009 mov byte ptr [BF0F35BAh], al 0x0000000e ror byte ptr [eax-77h], cl 0x00000011 inc esp 0x00000012 and al, 20h 0x00000014 dec ecx 0x00000015 arpl sp, cx 0x00000017 xchg cx, dx 0x0000001a dec eax 0x0000001b mov eax, dword ptr [esp+20h] 0x0000001f dec eax 0x00000020 movzx edx, ax 0x00000023 setnle ch 0x00000026 dec eax 0x00000027 mov dword ptr [ebp+00000490h], eax 0x0000002d xchg ax, dx 0x0000002f dec eax 0x00000030 mov eax, FB9AD629h 0x00000035 lea ecx, dword ptr [ecx+edi-1Ah] 0x00000039 dec eax 0x0000003a mov dword ptr [esp+20h], eax 0x0000003e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B36014A second address: 7FF68B360166 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov eax, dword ptr [esp+20h] 0x00000007 mov cx, C1B2h 0x0000000b dec ecx 0x0000000c arpl cx, cx 0x0000000e dec eax 0x0000000f cdq 0x00000010 dec eax 0x00000011 mov dword ptr [ebp+00000498h], eax 0x00000017 inc cx 0x00000019 movzx eax, dh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B360166 second address: 7FF68B36019F instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov eax, 670DBA17h 0x00000008 jmp far CA0Fh : 662AFB2Dh 0x0000000f inc ax 0x00000011 movsx edx, ch 0x00000014 dec eax 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 movsx eax, si 0x0000001c dec eax 0x0000001d mov eax, dword ptr [esp+20h] 0x00000021 dec eax 0x00000022 mov dword ptr [ebp+000004A0h], eax 0x00000028 dec ecx 0x00000029 movzx ecx, bp 0x0000002c dec eax 0x0000002d mov ecx, A2FD518Ch 0x00000032 add ah, ch 0x00000034 dec esp 0x00000035 jo 00007FD50507238Bh 0x00000037 arpl bp, ax 0x00000039 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B36019F second address: 7FF68B3601AC instructions: 0x00000000 rdtsc 0x00000002 mov dh, bl 0x00000004 dec eax 0x00000005 mov dword ptr [esp+20h], ecx 0x00000009 not dh 0x0000000b cwd 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B36099C second address: 7FF68B360A22 instructions: 0x00000000 rdtsc 0x00000002 movsx eax, si 0x00000005 dec eax 0x00000006 mov eax, F689FB42h 0x0000000b add dword ptr [ebp+0Eh], FFFFFFB4h 0x0000000f inc ebp 0x00000010 movzx esp, dx 0x00000013 dec eax 0x00000014 movzx ecx, ax 0x00000017 jmp 00007FD505072345h 0x0000001c dec eax 0x0000001d mov dword ptr [esp+20h], eax 0x00000021 inc ecx 0x00000022 mov dl, cl 0x00000024 dec eax 0x00000025 mov eax, dword ptr [esp+20h] 0x00000029 not edx 0x0000002b inc esp 0x0000002c xchg cl, ah 0x0000002e dec ecx 0x0000002f bswap esp 0x00000031 dec eax 0x00000032 mov dword ptr [ebp+000004D8h], eax 0x00000038 movzx ecx, bp 0x0000003b dec eax 0x0000003c mov dword ptr [esp+20h], edi 0x00000040 dec eax 0x00000041 movsx eax, si 0x00000044 dec eax 0x00000045 mov eax, dword ptr [esp+20h] 0x00000049 mov cl, ch 0x0000004b dec eax 0x0000004c mov dword ptr [ebp+000004E0h], eax 0x00000052 dec ecx 0x00000053 not esp 0x00000055 dec esp 0x00000056 mov dword ptr [esp+20h], ebp 0x0000005a setne ch 0x0000005d dec eax 0x0000005e mov eax, dword ptr [esp+20h] 0x00000062 movsx ecx, sp 0x00000065 dec eax 0x00000066 mov dword ptr [ebp+000004E8h], eax 0x0000006c inc ecx 0x0000006d cmovb edx, ecx 0x00000070 inc ecx 0x00000071 mov esp, C20656B2h 0x00000076 dec eax 0x00000077 cwde 0x00000078 dec ecx 0x00000079 mov esp, DA2D9E85h 0x0000007e cmc 0x0000007f int CDh 0x00000081 inc esi 0x00000082 cmovnbe ax, ax 0x00000086 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B36130B second address: 7FF68B36135D instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov eax, dword ptr [esp+20h] 0x00000007 dec eax 0x00000008 movsx ecx, si 0x0000000b dec eax 0x0000000c mov dword ptr [ebp+000004F8h], eax 0x00000012 setl ah 0x00000015 dec esp 0x00000016 mov dword ptr [esp+20h], esi 0x0000001a dec eax 0x0000001b mov eax, dword ptr [esp+20h] 0x0000001f cdq 0x00000020 cwd 0x00000022 xchg dx, cx 0x00000025 dec eax 0x00000026 mov dword ptr [ebp+00000500h], eax 0x0000002c cbw 0x0000002e dec esp 0x0000002f mov dword ptr [esp+20h], ebp 0x00000033 jmp 00007FD5050AEBC8h 0x00000038 dec eax 0x00000039 mov eax, dword ptr [esp+20h] 0x0000003d dec ecx 0x0000003e movsx edx, di 0x00000041 dec eax 0x00000042 mov dword ptr [ebp+00000508h], eax 0x00000048 mov eax, 7924AFB0h 0x0000004d cwd 0x0000004f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B361B9B second address: 7FF68B361BB9 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 mov ecx, ecx 0x00000005 dec eax 0x00000006 mov eax, dword ptr [esp+20h] 0x0000000a jmp 00007FD505072349h 0x0000000f dec eax 0x00000010 mov dword ptr [ebp-78h], eax 0x00000013 dec esp 0x00000014 mov dword ptr [esp+20h], ebp 0x00000018 cwd 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B3620E3 second address: 7FF68B36211D instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 cwde 0x00000004 dec eax 0x00000005 mov eax, A943FAAFh 0x0000000a test dword ptr [edi-3075BEBAh], esi 0x00000011 cdq 0x00000012 dec eax 0x00000013 mov dword ptr [esp+20h], eax 0x00000017 cbw 0x00000019 movsx eax, dx 0x0000001c dec eax 0x0000001d mov eax, dword ptr [esp+20h] 0x00000021 dec eax 0x00000022 movzx ecx, di 0x00000025 inc cx 0x00000027 movsx ecx, bl 0x0000002a dec ecx 0x0000002b movsx edx, dx 0x0000002e dec eax 0x0000002f mov dword ptr [ebp-30h], eax 0x00000032 dec eax 0x00000033 cwde 0x00000034 cdq 0x00000035 dec esp 0x00000036 mov dword ptr [esp+20h], edi 0x0000003a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B363F56 second address: 7FF68B363F8B instructions: 0x00000000 rdtsc 0x00000002 mov edx, 8127D714h 0x00000007 cwd 0x00000009 dec eax 0x0000000a mov eax, dword ptr [esp+20h] 0x0000000e inc ecx 0x0000000f movsx ecx, bx 0x00000012 dec eax 0x00000013 mov dword ptr [ebp+00000160h], eax 0x00000019 inc ebp 0x0000001a movzx esi, si 0x0000001d dec ecx 0x0000001e mov esi, 95C28754h 0x00000023 call 00007FD54DA59F65h 0x00000028 cwde 0x00000029 mov dh, FFFFFF8Eh 0x0000002c dec ecx 0x0000002d movzx ecx, di 0x00000030 dec esp 0x00000031 mov dword ptr [esp+20h], esi 0x00000035 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B364400 second address: 7FF68B364433 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 cdq 0x00000004 cwd 0x00000006 dec eax 0x00000007 mov dword ptr [esp+20h], esi 0x0000000b dec eax 0x0000000c movsx ecx, bx 0x0000000f mov ax, cx 0x00000012 dec eax 0x00000013 mov eax, dword ptr [esp+20h] 0x00000017 cdq 0x00000018 dec eax 0x00000019 mov dword ptr [ebp+000001B8h], eax 0x0000001f dec esp 0x00000020 mov dword ptr [esp+20h], esp 0x00000024 lahf 0x00000025 xchg ah, dh 0x00000027 dec eax 0x00000028 mov eax, dword ptr [esp+20h] 0x0000002c dec eax 0x0000002d mov dword ptr [ebp+00000F40h], eax 0x00000033 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B364AFB second address: 7FF68B364B06 instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 mov dword ptr [esp+20h], edi 0x00000007 inc ecx 0x00000008 setle ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B365164 second address: 7FF68B365174 instructions: 0x00000000 rdtsc 0x00000002 dec ecx 0x00000003 movsx ecx, cx 0x00000006 dec eax 0x00000007 mov edi, 95E8B362h 0x0000000c call 00007FD514A967E5h
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B36544F second address: 7FF68B3654C7 instructions: 0x00000000 rdtsc 0x00000002 not ah 0x00000004 dec eax 0x00000005 mov eax, A954CDAFh 0x0000000a pushfd 0x0000000b mov dword ptr [0F4823B9h], eax 0x00000010 mov bh, CAh 0x00000012 dec eax 0x00000013 mov dword ptr [esp+20h], eax 0x00000017 dec eax 0x00000018 mov eax, dword ptr [esp+20h] 0x0000001c cdq 0x0000001d dec eax 0x0000001e mov dword ptr [ebp+00000250h], eax 0x00000024 dec ecx 0x00000025 arpl sp, dx 0x00000027 dec ecx 0x00000028 movzx eax, bx 0x0000002b movsx eax, di 0x0000002e dec eax 0x0000002f mov eax, F989DD10h 0x00000034 wait 0x00000035 or bh, byte ptr [esi+ebx*4+48h] 0x00000039 mov dword ptr [esp+20h], eax 0x0000003d inc ecx 0x0000003e mov edx, edi 0x00000040 dec eax 0x00000041 mov eax, dword ptr [esp+20h] 0x00000045 dec ecx 0x00000046 arpl bx, dx 0x00000048 dec eax 0x00000049 mov dword ptr [ebp+00000258h], eax 0x0000004f lahf 0x00000050 xchg ch, al 0x00000052 jmp 00007FD505072345h 0x00000057 dec esp 0x00000058 mov dword ptr [esp+20h], ebp 0x0000005c bswap ax 0x0000005f cwd 0x00000061 dec eax 0x00000062 movsx ecx, bx 0x00000065 dec eax 0x00000066 mov eax, dword ptr [esp+20h] 0x0000006a dec eax 0x0000006b mov dword ptr [ebp+00000F40h], eax 0x00000071 dec eax 0x00000072 movzx edx, si 0x00000075 movzx ecx, si 0x00000078 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B365EC3 second address: 7FF68B365F78 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov eax, B748F3AFh
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B28AEEA second address: 7FF68B28AF5D instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov dword ptr [esp+40h], esi 0x00000007 dec eax 0x00000008 mov eax, dword ptr [esp+40h] 0x0000000c movsx ecx, si 0x0000000f inc ebp 0x00000010 xchg ecx, ecx 0x00000012 jmp 00007FD505072345h 0x00000017 dec eax 0x00000018 mov dword ptr [ebp+18h], eax 0x0000001b inc esp 0x0000001c mov ecx, ebp 0x0000001e inc cx 0x00000020 nop 0x00000021 dec eax 0x00000022 mov dword ptr [esp+40h], edi 0x00000026 movsx eax, si 0x00000029 inc cx 0x0000002b bswap eax 0x0000002d dec eax 0x0000002e mov eax, dword ptr [esp+40h] 0x00000032 inc sp 0x00000034 mov eax, edx 0x00000036 dec ebp 0x00000037 movzx ecx, sp 0x0000003a dec eax 0x0000003b mov dword ptr [ebp+20h], eax 0x0000003e dec ecx 0x0000003f mov ecx, 3E1ADC8Bh 0x00000045 cbw 0x00000047 dec esp 0x00000048 arpl bp, ax 0x0000004a dec eax 0x0000004b mov dword ptr [esp+40h], ebx 0x0000004f dec eax 0x00000050 movzx edx, cx 0x00000053 inc ecx 0x00000054 not cl 0x00000056 dec eax 0x00000057 cdq 0x00000058 dec eax 0x00000059 mov eax, dword ptr [esp+40h] 0x0000005d dec eax 0x0000005e mov dword ptr [ebp+28h], eax 0x00000061 inc ax 0x00000063 movsx eax, ch 0x00000066 dec eax 0x00000067 arpl bx, ax 0x00000069 movdqa xmm0, dqword ptr [esp+50h] 0x0000006f xorps xmm0, dqword ptr [ebp+00h] 0x00000073 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B28AF5D second address: 7FF68B28AF9D instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 sete cl 0x00000006 movdqa dqword ptr [esp+50h], xmm0 0x0000000c cdq 0x0000000d movdqa xmm1, dqword ptr [esp+60h] 0x00000013 dec eax 0x00000014 movzx ecx, di 0x00000017 dec ecx 0x00000018 movsx edx, cx 0x0000001b jmp 00007FD5050AEBC5h 0x00000020 xorps xmm1, dqword ptr [ebp+10h] 0x00000024 movsx edx, sp 0x00000027 xchg dh, cl 0x00000029 movdqa dqword ptr [esp+60h], xmm1 0x0000002f inc ecx 0x00000030 mov dl, al 0x00000032 lahf 0x00000033 movdqa xmm0, dqword ptr [esp+70h] 0x00000039 dec esp 0x0000003a arpl bp, cx 0x0000003c xorps xmm0, dqword ptr [ebp+20h] 0x00000040 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeRDTSC instruction interceptor: First address: 7FF68B28D79A second address: 7FF68B28D7D0 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 mov eax, dword ptr [ebp-79h] 0x00000006 inc cx 0x00000008 movzx edx, bl 0x0000000b dec eax 0x0000000c mov dword ptr [ebp-09h], eax 0x0000000f dec eax 0x00000010 mov eax, A4E952DAh 0x00000015 inc ebx 0x00000017 add al, 3Dh 0x00000019 dec eax 0x0000001a mov dword ptr [ebp-79h], eax 0x0000001d movsx edx, bp 0x00000020 inc esp 0x00000021 xchg al, al 0x00000023 dec eax 0x00000024 mov eax, dword ptr [ebp-79h] 0x00000027 dec eax 0x00000028 cdq 0x00000029 inc sp 0x0000002b cmovnle eax, ebp 0x0000002e dec eax 0x0000002f movzx edx, cx 0x00000032 dec eax 0x00000033 mov dword ptr [ebp-01h], eax 0x00000036 rdtsc
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSpecial instruction interceptor: First address: 7FF68E96C1B9 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSpecial instruction interceptor: First address: 7FF68E96C1FB instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeWindow / User API: threadDelayed 1089Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeWindow / User API: threadDelayed 655Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeWindow / User API: threadDelayed 1003Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeWindow / User API: threadDelayed 1144Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeWindow / User API: threadDelayed 690Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeWindow / User API: threadDelayed 589Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeWindow / User API: threadDelayed 1449Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeWindow / User API: windowPlacementGot 470Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeWindow / User API: windowPlacementGot 472Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exe TID: 6004Thread sleep time: -32500s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4550427979.000001A66FBA9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671E1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671E1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWt:
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exeBinary or memory string: "Ovmci
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect debuggers (CloseHandle check)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeHandle closed: DEADC0DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtProtectVirtualMemory: Direct from: 0x7FF68B8CA37DJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtProtectVirtualMemory: Direct from: 0x7FF68C3CDBFBJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtProtectVirtualMemory: Direct from: 0x7FF68B90BA51Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtQueryInformationProcess: Direct from: 0x7FF68C3CB5E1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtProtectVirtualMemory: Direct from: 0x7FF68B8F8453Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtSetInformationThread: Direct from: 0x7FF68E1A0834Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtQuerySystemInformation: Direct from: 0x7FF68E9643C2Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtProtectVirtualMemory: Direct from: 0x7FF68B8FA464Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtProtectVirtualMemory: Direct from: 0x7FF68B91184DJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtSetInformationThread: Direct from: 0x7FF68C3F02E5Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtQuerySystemInformation: Direct from: 0x7FF68B90832BJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtProtectVirtualMemory: Direct from: 0x7FF68C3F0B87Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtQueryInformationProcess: Direct from: 0x7FF68C3E30E2Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtQueryInformationProcess: Direct from: 0x7FF68C3BAAD1Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtQuerySystemInformation: Direct from: 0x7FF68C3D5E1EJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtSetInformationThread: Direct from: 0x7FF6895DBCEBJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtClose: Indirect: 0x7FF68E96C1B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtProtectVirtualMemory: Direct from: 0x7FF68B903050Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtQuerySystemInformation: Direct from: 0x7FF68E964AE8Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtQueryInformationProcess: Direct from: 0x7FF68B90FAF6Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtProtectVirtualMemory: Direct from: 0x7FF68C3DD36DJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtQueryInformationProcess: Direct from: 0x7FF68C3C8BE8Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtSetInformationProcess: Direct from: 0x7FF68C3EC854Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeNtQuerySystemInformation: Direct from: 0x7FF68B908B97Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop bamJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe SC CONFIG "bam" START= DISABLEDJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fsutil.exe fsutil behavior set DisableLastAccess 3Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /hibernate offJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -disk-timeout-ac 0Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -disk-timeout-dc 0Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM agent.exeJump to behavior
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A6742ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A6742ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerchromee

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies power options to not sleep / hibernate
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
Windows Management Instrumentation		1
Windows Service		1
Windows Service		1
Masquerading		1
Credential API Hooking		811
Security Software Discovery		Remote Services1
Credential API Hooking		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		12
Process Injection		1
Disable or Modify Tools		LSASS Memory42
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Abuse Elevation Control Mechanism		42
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		12
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Hidden Files and Directories		LSA Secrets33
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Abuse Elevation Control Mechanism		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Obfuscated Files or Information		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1543470 Sample: SecuriteInfo.com.FileRepMal... Startdate: 27/10/2024 Architecture: WINDOWS Score: 100 39 reported.lol 2->39 45 Antivirus / Scanner detection for submitted sample 2->45 47 PE file contains section with special chars 2->47 49 AI detected suspicious sample 2->49 8 SecuriteInfo.com.FileRepMalware.12585.5759.exe 1 1 2->8         started        signatures3 process4 dnsIp5 41 reported.lol 57.129.0.22, 443, 49866 ATGS-MMD-ASUS Belgium 8->41 43 127.0.0.1 unknown unknown 8->43 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->53 55 Query firmware table information (likely to detect VMs) 8->55 57 8 other signatures 8->57 12 cmd.exe 1 8->12         started        15 cmd.exe 1 8->15         started        17 cmd.exe 1 8->17         started        19 10 other processes 8->19 signatures6 process7 signatures8 59 Uses powercfg.exe to modify the power settings 12->59 61 Modifies power options to not sleep / hibernate 12->61 35 2 other processes 12->35 21 conhost.exe 15->21         started        23 powercfg.exe 1 15->23         started        25 conhost.exe 17->25         started        27 powercfg.exe 1 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 19->31         started        33 conhost.exe 19->33         started        37 14 other processes 19->37 process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.FileRepMalware.12585.5759.exe8%ReversingLabs
SecuriteInfo.com.FileRepMalware.12585.5759.exe100%AviraHEUR/AGEN.1308593

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
reported.lol
57.129.0.22
truefalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2582039404.000001A67205A000.00000004.00000020.00020000.00000000.sdmpfalse
      		unknown
      http://www.apache.org/licenses/LICENSE-2.0usSecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2582119199.000001A67205A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2581966011.000001A67205A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2582267384.000001A67205A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2581850626.000001A67205A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2582039404.000001A67205A000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        https://reported.lol/#pricingSecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671EC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          https://reported.lol/troubleshooting/#usageSecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671EC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0eserved.SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575723651.000001A672059000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://google.com/e/up-dSecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://yahoo.com/SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0RobotoThinSecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2565914201.000001A6745A8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2566337593.000001A674501000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://google.com/SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0vSecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575301669.000001A672059000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://yahoo.com/ve/uSecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://reported.lol/spf.exe9SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671D08000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0RobotoMediumSecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2576260212.000001A67481A000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://reported.lol/version.txtSecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4550427979.000001A66FBA9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671D08000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://reported.lol/discordSecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://reported.lol/spf.exeSecuriteInfo.com.FileRepMalware.12585.5759.exe, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4550183597.000000760C1F4000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4550427979.000001A66FBA9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671D08000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://reported.lol/version.txtwSecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671D08000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://reported.lol/spf.exepSecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4550427979.000001A66FBA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0ved.SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575256547.000001A672059000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://reported.lol/spf.exenSecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4550427979.000001A66FBA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://reported.lol/spf.exes#SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4550183597.000000760C1F4000.00000004.00000010.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://reported.lol/version.txt.SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4550427979.000001A66FBA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.apache.org/licenses/LICENSE-2.0ved..0SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575225773.000001A672059000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575256547.000001A672059000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://aka.ms/vs/16/release/vc_redist.x64.exeSecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4552121388.000001A671D08000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://www.apache.org/licenses/LICENSE-2.0RobotoLightSecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575123868.000001A674555000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2576104094.000001A6745D2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000002.4553170862.000001A674342000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575191082.000001A6746F4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575503275.000001A6746F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2567011110.000001A67445A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2566337593.000001A674501000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.apache.org/licenses/LICENSE-2.0en-usSecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2569629019.000001A67205A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.12585.5759.exe, 00000000.00000003.2575225773.000001A672059000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        57.129.0.22
                                                        		reported.lolBelgium
                                                        		2686ATGS-MMD-ASUSfalse

                                                        Private

                                                        IP
                                                        127.0.0.1

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1543470
                                                        Start date and time:2024-10-27 23:27:19 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 8m 13s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:42
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:SecuriteInfo.com.FileRepMalware.12585.5759.exe
                                                        Detection:MAL
                                                        Classification:mal100.spyw.evad.winEXE@59/1@1/2
                                                        EGA Information:Failed
                                                        HCA Information:
                                                        • Successful, ratio: 100%
                                                        • Number of executed functions: 0
                                                        • Number of non-executed functions: 0
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe
                                                        • Override analysis time to 240s for sample files taking high CPU consumption

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                        • Execution Graph export aborted for target SecuriteInfo.com.FileRepMalware.12585.5759.exe, PID 1848 because there are no executed function
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                        • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • VT rate limit hit for: SecuriteInfo.com.FileRepMalware.12585.5759.exe

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        18:29:15API Interceptor75209x Sleep call for process: SecuriteInfo.com.FileRepMalware.12585.5759.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        57.129.0.22sky_spf.exeGet hashmaliciousUnknownBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          reported.lolsky_spf.exeGet hashmaliciousUnknownBrowse
                                                          • 57.129.0.22

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          ATGS-MMD-ASUSfile.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 34.160.144.191
                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 34.160.144.191
                                                          boatnet.ppc.elfGet hashmaliciousMiraiBrowse
                                                          • 57.192.26.160
                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 34.160.144.191
                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 34.160.144.191
                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 34.160.144.191
                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 34.160.144.191
                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 34.160.144.191
                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 34.160.144.191
                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 34.160.144.191

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          bd0bf25947d4a37404f0424edf4db9adSecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exeGet hashmaliciousUnknownBrowse
                                                          • 57.129.0.22
                                                          SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exeGet hashmaliciousUnknownBrowse
                                                          • 57.129.0.22
                                                          sadfwqefrqw3f.exeGet hashmaliciousUnknownBrowse
                                                          • 57.129.0.22
                                                          SecuriteInfo.com.Win64.Evo-gen.20107.17462.exeGet hashmaliciousUnknownBrowse
                                                          • 57.129.0.22
                                                          SecuriteInfo.com.FileRepMalware.12025.7543.exeGet hashmaliciousUnknownBrowse
                                                          • 57.129.0.22
                                                          SecuriteInfo.com.Heuristic.HEUR.AGEN.1319832.32667.20795.exeGet hashmaliciousUnknownBrowse
                                                          • 57.129.0.22
                                                          ActSet.ps1Get hashmaliciousFredy StealerBrowse
                                                          • 57.129.0.22
                                                          ActSet.ps1Get hashmaliciousFredy StealerBrowse
                                                          • 57.129.0.22
                                                          SecuriteInfo.com.Win32.CrypterX-gen.13288.14467.dllGet hashmaliciousUnknownBrowse
                                                          • 57.129.0.22
                                                          SecuriteInfo.com.Win32.CrypterX-gen.13288.14467.dllGet hashmaliciousUnknownBrowse
                                                          • 57.129.0.22

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\Desktop\spoofer-config.json

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exe
                                                          File Type:JSON data
                                                          Category:modified
                                                          Size (bytes):1319
                                                          Entropy (8bit):4.122172680340367
                                                          Encrypted:false
                                                          SSDEEP:24:1YdYyAmQKep0DA5J+RZFEzHhZ3R0bLnOhwdvimfKUIyrsCcHcF1BnSb4JTFQpt:qY1EM5JuZAHr3uLnNzfKUZsDc9Sb47y
                                                          MD5:80E28B2FC4BBDB175D82B71AD6CC48DD
                                                          SHA1:BDECF5C3C675C58A568BF0E0BC7F390DEF0B070C
                                                          SHA-256:E8244991B95B32426B940558FB6C8F21911A7D00AD4CC3C9BBC214AB80A74568
                                                          SHA-512:E70459319B04C348C6C11977CCF01A0B5DA473533EF1CB336ECAF3167E4D25C5A5C9B482F5FE65FB13AB44F925DFD4830CF6F1A4F8CFDDAEF4DBE3DE85F00014
                                                          Malicious:false
                                                          Preview:{.. "data1": "ed61c2990cbc8609ed76b9487994fff4",.. "data2": "043f6244589f61dac0a9d8d8da37b1330eb76fc46e7801e673b80e5ad02edb96c292c216a6b8288e89e33447c08abb039217b3a0d3e246ff342284f6ba0fd23f1d67fbeb6570055b8eb72c8064e9e26cdef8560ac411b6f60bde785bbe744b1c4a8a7829062773efab4f2b04adac36e6a118ae54e7cc08e1d41a7a4acd42b1c40296ab65daac763a541044de4361f81f26188af61e1296f8a1f97f05f4edc0e257f05c7243495be9bc92f61a42dee6c280d575b4d6bcadd2f255abc0131165d1bc8dd1701856e3f905998a6d033b79da89c3bd26b4928711be10a10d7c9eb339ba2b846c3eb33fd5258029e241babca29c46346a7a883b571f61c931e2f54e6b935e6c92285ec40a11c8a849f5dc7a69e804a4ff26108ab07bc51c32a2667f24b470ab388ae278e55dabf932695d7168caf4808e57bed5bc2901fcc0e5a1240143dfb0fe2394365fc7bc4aeea0813c51468212141bb42100d7547ff8a8de1f869ab122e54e49a9d11ce0b41f46e796755f126f868b077dba2b1a547e77659561ebf974406c68b408b2f731cb300363b9da37971787cc2546d997f8a1cc2ba61769ea7eccaedfff663aace1a45ab574ff3752ebe01ce805a0ab6f6c54a6caa0f392b767305b1c8799086d1fca915807e6c7dc2

                                                          Static File Info

                                                          General

                                                          File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                          Entropy (8bit):7.859384921014576
                                                          TrID:
                                                          • Win64 Executable GUI (202006/5) 92.65%
                                                          • Win64 Executable (generic) (12005/4) 5.51%
                                                          • Generic Win/DOS Executable (2004/3) 0.92%
                                                          • DOS Executable Generic (2002/1) 0.92%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:SecuriteInfo.com.FileRepMalware.12585.5759.exe
                                                          File size:78'622'208 bytes
                                                          MD5:3bc5f7f06970652d8366435fc582243e
                                                          SHA1:98d7dee8de0e304695f91f90c0f81ab8b0f49eed
                                                          SHA256:a28656f4c0dfba2848fd7840e2cf02cb9013bfa64431c18c94abe0c19f88754f
                                                          SHA512:6290ad458c69102c5a40e6415f700392f9eb73edb9cf162e95da790d53cbf0ce2d40fea196a84b45ff09fea1949a7dde94b640d3f53d7ccac200f659055d4b5c
                                                          SSDEEP:1572864:als6ItVd8EhBmV/lpeDkdln4+6xvEJz3+08syToiBj:cxEba/Fln4+6W3w
                                                          TLSH:7808339A69E6B1D4D4CF4540A6CA328F51C1915D9ECE481C3AFF2C022F30DEB9789A77
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g.........."....).....2|................@.............................`e...........`................................

                                                          File Icon

                                                          Icon Hash:c41818c0c41b1b24

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x1450dc68a
                                                          Entrypoint Section:.~cc
                                                          Digitally signed:false
                                                          Imagebase:0x140000000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x67138F0D [Sat Oct 19 10:50:53 2024 UTC]
                                                          TLS Callbacks:0x450d675d, 0x1, 0x40860e34, 0x1, 0x40860cf0, 0x1
                                                          CLR (.Net) Version:
                                                          OS Version Major:6
                                                          OS Version Minor:0
                                                          File Version Major:6
                                                          File Version Minor:0
                                                          Subsystem Version Major:6
                                                          Subsystem Version Minor:0
                                                          Import Hash:dc6f539bfc16be4aba572923dbbf16af

                                                          Entrypoint Preview

                                                          Instruction
                                                          push ebx
                                                          call 00007FD507075076h
                                                          mov al, 20h
                                                          push cs
                                                          add eax, 00000005h
                                                          lock xor byte ptr [ebp+05h], dh
                                                          add byte ptr [eax], dl
                                                          add byte ptr [eax], al
                                                          dec eax
                                                          xor dh, byte ptr [esi-512FFFFCh]
                                                          add al, al
                                                          xchg eax, edi
                                                          cwde
                                                          pop es
                                                          add byte ptr [eax+5Bh], al
                                                          add ecx, esp
                                                          xchg eax, ecx
                                                          or eax, 22800008h
                                                          add bh, byte ptr [eax+45h]
                                                          or eax, 28A00008h
                                                          add bh, byte ptr [ecx]
                                                          sub eax, D000050Fh
                                                          sub byte ptr [edx], al
                                                          push edx
                                                          xor ecx, dword ptr [28E00008h]
                                                          add dh, cl
                                                          mov ebp, 28F00005h
                                                          add bh, byte ptr [edx+0FFD7329h]
                                                          push edi
                                                          push ebp
                                                          loope 00007FD5047CFBD5h
                                                          mov edx, E105071Fh
                                                          mov edx, E1A5A787h
                                                          mov edx, E11D1F2Fh
                                                          mov edx, E13537CFh
                                                          mov edx, E15D5FEFh
                                                          mov edx, E1CDCF5Fh
                                                          mov edx, 4BC8AFA7h
                                                          aam FAh
                                                          rcr edx, 48h
                                                          insd
                                                          mov edx, 0AEFA7DBh
                                                          nop
                                                          jp 00007FD5047CFB65h
                                                          sbb al, F2h
                                                          sub ch, bl
                                                          sub ch, dl
                                                          mov esp, BA7A3DD1h
                                                          mov esp, AFE0920Bh
                                                          xor dh, al
                                                          cdq
                                                          jecxz 00007FD5047CFC22h
                                                          sub dword ptr [edx-22h], edx
                                                          add eax, F2208E49h
                                                          pop ebp
                                                          lahf
                                                          fdivr dword ptr [esi+eax*8-07h]
                                                          jo 00007FD5047CFB86h

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x50ed2280x280.~cc
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x96510000x32a7.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x95eb4300x655f8.~cc
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x96550000x100.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x50e8de00x28.~cc
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x95eb2f00x140.~cc
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x4b590000x1f0.wQl
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000xaebb5e0x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0xaed0000xac6c2e0x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0x15b40000xc737040x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .pdata0x22280000x615e40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .detourc0x228a0000x21c00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .detourd0x228d0000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .sysc0x228e0000x680x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .&;O0x228f0000x28c9d590x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .wQl0x4b590000x6800x8008f4b13a3d820473b9ab07b4bfabcf9e9False0.0947265625data0.7070679107324156IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .~cc0x4b5a0000x4af6a280x4af6c00d645f62c55f7792d5b4827e4a6255b22unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x96510000x32a70x34001b96ff4ce334b126821048f710e629dbFalse0.10321514423076923data3.573707486004657IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x96550000x1000x200e946cefc52b2bf0b6a4f2e7a007e5ad7False0.3984375data2.678923298336324IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0x96511300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600, resolution 2835 x 2835 px/mEnglishUnited States0.023858921161825725
                                                          RT_GROUP_ICON0x96536d80x14dataEnglishUnited States1.15
                                                          RT_VERSION0x96536f00x258dataEnglishUnited States0.49666666666666665
                                                          RT_MANIFEST0x96539480x95fXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2339), with CRLF line terminatorsEnglishUnited States0.3034597749062109

                                                          Imports

                                                          DLLImport
                                                          SHELL32.dllSHGetFileInfoW
                                                          ADVAPI32.dllLookupAccountNameW
                                                          ole32.dllCreateStreamOnHGlobal
                                                          OLEAUT32.dllSafeArrayUnaccessData
                                                          COMDLG32.dllPrintDlgW
                                                          WININET.dllInternetSetOptionW
                                                          WS2_32.dllWSASocketW
                                                          ntdll.dllRtlUnwindEx
                                                          KERNEL32.dllGetVersionExW
                                                          USER32.dllRegisterHotKey
                                                          GDI32.dllCreateCompatibleBitmap
                                                          WINSPOOL.DRV
                                                          SHLWAPI.dllPathFileExistsW
                                                          IPHLPAPI.DLLGetTcpTable
                                                          USERENV.dllGetUserProfileDirectoryW
                                                          WINMM.dlltimeSetEvent
                                                          OLEACC.dllAccessibleObjectFromWindow
                                                          COMCTL32.dllImageList_GetIconSize
                                                          IMM32.dllImmSetCandidateWindow
                                                          USP10.dllScriptApplyDigitSubstitution
                                                          bcrypt.dllBCryptCloseAlgorithmProvider
                                                          gdiplus.dllGdipAlloc
                                                          tbs.dllTbsi_Context_Create
                                                          NETAPI32.dllNetUserAdd
                                                          RPCRT4.dllUuidFromStringA
                                                          SETUPAPI.dllCM_Get_DevNode_Status
                                                          SLWGA.dllSLIsGenuineLocal
                                                          Secur32.dllLsaFreeReturnBuffer
                                                          CRYPT32.dllCertDuplicateCertificateContext
                                                          VERSION.dllVerQueryValueW
                                                          WLDAP32.dll

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 27, 2024 23:29:09.558398008 CET49866443192.168.2.557.129.0.22
                                                          Oct 27, 2024 23:29:09.558410883 CET4434986657.129.0.22192.168.2.5
                                                          Oct 27, 2024 23:29:09.558478117 CET49866443192.168.2.557.129.0.22
                                                          Oct 27, 2024 23:29:09.611522913 CET49866443192.168.2.557.129.0.22
                                                          Oct 27, 2024 23:29:09.611532927 CET4434986657.129.0.22192.168.2.5
                                                          Oct 27, 2024 23:29:10.462543011 CET4434986657.129.0.22192.168.2.5
                                                          Oct 27, 2024 23:29:10.462723017 CET49866443192.168.2.557.129.0.22
                                                          Oct 27, 2024 23:29:10.589998960 CET49866443192.168.2.557.129.0.22
                                                          Oct 27, 2024 23:29:10.590010881 CET4434986657.129.0.22192.168.2.5
                                                          Oct 27, 2024 23:29:10.590039968 CET49866443192.168.2.557.129.0.22
                                                          Oct 27, 2024 23:29:10.590208054 CET4434986657.129.0.22192.168.2.5
                                                          Oct 27, 2024 23:29:10.590257883 CET49866443192.168.2.557.129.0.22

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 27, 2024 23:29:09.516433001 CET5058553192.168.2.51.1.1.1
                                                          Oct 27, 2024 23:29:09.535825968 CET53505851.1.1.1192.168.2.5

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Oct 27, 2024 23:29:09.516433001 CET192.168.2.51.1.1.10xf891Standard query (0)reported.lolA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Oct 27, 2024 23:29:09.535825968 CET1.1.1.1192.168.2.50xf891No error (0)reported.lol57.129.0.22A (IP address)IN (0x0001)false

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:18:28:16
                                                          Start date:27/10/2024
                                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.12585.5759.exe"
                                                          Imagebase:0x7ff686820000
                                                          File size:78'622'208 bytes
                                                          MD5 hash:3BC5F7F06970652D8366435FC582243E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:false

                                                          General

                                                          Target ID:3
                                                          Start time:18:28:41
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /C sc stop bam
                                                          Imagebase:0x7ff74a700000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:18:28:41
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:18:28:43
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:sc stop bam
                                                          Imagebase:0x7ff685dc0000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:18:28:44
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /C SC CONFIG "bam" START= DISABLED
                                                          Imagebase:0x7ff74a700000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:18:28:44
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:18:28:46
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\sc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:SC CONFIG "bam" START= DISABLED
                                                          Imagebase:0x7ff685dc0000
                                                          File size:72'192 bytes
                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:9
                                                          Start time:18:28:50
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /C fsutil behavior set DisableLastAccess 3
                                                          Imagebase:0x7ff74a700000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:18:28:50
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:18:28:52
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\fsutil.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:fsutil behavior set DisableLastAccess 3
                                                          Imagebase:0x7ff7aabb0000
                                                          File size:214'840 bytes
                                                          MD5 hash:DE00EDA7134D3365E6074700E3008CAD
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:12
                                                          Start time:18:28:52
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /C powercfg /hibernate off
                                                          Imagebase:0x7ff74a700000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:13
                                                          Start time:18:28:52
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:14
                                                          Start time:18:28:55
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\powercfg.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powercfg /hibernate off
                                                          Imagebase:0x7ff7ac810000
                                                          File size:96'256 bytes
                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:15
                                                          Start time:18:28:55
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /C powercfg /x -hibernate-timeout-ac 0
                                                          Imagebase:0x7ff74a700000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:16
                                                          Start time:18:28:55
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:18
                                                          Start time:18:28:56
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\powercfg.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powercfg /x -hibernate-timeout-ac 0
                                                          Imagebase:0x7ff7ac810000
                                                          File size:96'256 bytes
                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:19
                                                          Start time:18:28:56
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /C powercfg /x -hibernate-timeout-dc 0
                                                          Imagebase:0x7ff74a700000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:20
                                                          Start time:18:28:56
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:21
                                                          Start time:18:28:56
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\powercfg.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powercfg /x -hibernate-timeout-dc 0
                                                          Imagebase:0x7ff7ac810000
                                                          File size:96'256 bytes
                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:22
                                                          Start time:18:28:57
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /C powercfg /x -disk-timeout-ac 0
                                                          Imagebase:0x7ff74a700000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:23
                                                          Start time:18:28:57
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:24
                                                          Start time:18:28:58
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\powercfg.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powercfg /x -disk-timeout-ac 0
                                                          Imagebase:0x7ff7ac810000
                                                          File size:96'256 bytes
                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:25
                                                          Start time:18:28:59
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /C powercfg /x -disk-timeout-dc 0
                                                          Imagebase:0x7ff74a700000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:26
                                                          Start time:18:28:59
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:27
                                                          Start time:18:29:00
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\powercfg.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powercfg /x -disk-timeout-dc 0
                                                          Imagebase:0x7ff7ac810000
                                                          File size:96'256 bytes
                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:28
                                                          Start time:18:29:02
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /C powercfg /x -standby-timeout-ac 0
                                                          Imagebase:0x7ff74a700000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:29
                                                          Start time:18:29:02
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:30
                                                          Start time:18:29:02
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\powercfg.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powercfg /x -standby-timeout-ac 0
                                                          Imagebase:0x7ff7ac810000
                                                          File size:96'256 bytes
                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:31
                                                          Start time:18:29:02
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /C powercfg /x -standby-timeout-dc 0
                                                          Imagebase:0x7ff74a700000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:32
                                                          Start time:18:29:02
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:33
                                                          Start time:18:29:02
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\powercfg.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powercfg /x -standby-timeout-dc 0
                                                          Imagebase:0x7ff7ac810000
                                                          File size:96'256 bytes
                                                          MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:34
                                                          Start time:18:29:02
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\w32tm.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:w32tm /resync
                                                          Imagebase:0x7ff67ae50000
                                                          File size:108'032 bytes
                                                          MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:35
                                                          Start time:18:29:02
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\taskkill.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:taskkill /F /IM agent.exe
                                                          Imagebase:0x7ff65e350000
                                                          File size:101'376 bytes
                                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:36
                                                          Start time:18:29:02
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:37
                                                          Start time:18:29:02
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\taskkill.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:taskkill /F /IM battle.net.exe
                                                          Imagebase:0x7ff65e350000
                                                          File size:101'376 bytes
                                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:38
                                                          Start time:18:29:02
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:39
                                                          Start time:18:29:02
                                                          Start date:27/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Disassembly

                                                          No disassembly