Windows Analysis Report
SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
Analysis ID: 1501349
MD5: 4629a7d0c64e29caa63f7a4aede12a07
SHA1: 3646b60408d282ceaddfb725ac98a71c276b591f
SHA256: a61a13fc5a91783172920a1418c06578f267b83a026bd126e653b259a6eb4bda
Tags: exe
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sigma detected: Powershell Defender Exclusion

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.1% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Joe Sandbox ML: detected
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: F:\Static AntiCheat\Updater Clever Launcher\x64\Release\Updater Clever Launcher.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
Source: Binary string: F:\Static AntiCheat\Updater Clever Launcher\x64\Release\Updater Clever Launcher.pdb$$ source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Code function: 0_2_00007FF79EA813D0 RegCreateKeyExA,RegQueryValueExA,RegCloseKey,DeleteFileA,memmove,Concurrency::cancel_current_task,memmove,URLDownloadToFileA,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,MessageBoxA,exit,MessageBoxA,exit, 0_2_00007FF79EA813D0
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe String found in binary or memory: https://cdn.cleversquad.online/cdn/CleverClient/CleverLauncher.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe String found in binary or memory: https://cdn.cleversquad.online/cdn/CleverClient/CleverLauncher.exeFailed
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe String found in binary or memory: https://cleversquad.online/0
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe String found in binary or memory: https://sectigo.com/CPS0
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Code function: 0_2_00007FF79EA813D0 0_2_00007FF79EA813D0
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Static PE information: invalid certificate
Source: classification engine Classification label: mal60.evad.winEXE@7/5@0/0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:628:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kseaghrs.m5x.ps1 Jump to behavior
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: F:\Static AntiCheat\Updater Clever Launcher\x64\Release\Updater Clever Launcher.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
Source: Binary string: F:\Static AntiCheat\Updater Clever Launcher\x64\Release\Updater Clever Launcher.pdb$$ source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5692 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4151 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4576 Thread sleep count: 5692 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4576 Thread sleep count: 4151 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6976 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Code function: 0_2_00007FF79EA82500 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF79EA82500
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Code function: 0_2_00007FF79EA81FD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF79EA81FD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Code function: 0_2_00007FF79EA826A4 SetUnhandledExceptionFilter, 0_2_00007FF79EA826A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Code function: 0_2_00007FF79EA82500 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF79EA82500

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe Code function: 0_2_00007FF79EA823D8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF79EA823D8
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1501349 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 29/08/2024 Architecture: WINDOWS Score: 60 23 Machine Learning detection for sample 2->23 25 AI detected suspicious sample 2->25 27 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->27 8 SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe 1 2->8         started        process3 signatures4 29 Adds a directory exclusion to Windows Defender 8->29 11 cmd.exe 1 8->11         started        14 conhost.exe 8->14         started        process5 signatures6 31 Adds a directory exclusion to Windows Defender 11->31 16 powershell.exe 23 11->16         started        process7 signatures8 21 Loading BitLocker PowerShell Module 16->21 19 WmiPrvSE.exe 16->19         started        process9
No contacted IP infos