Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
Analysis ID:1501349
MD5:4629a7d0c64e29caa63f7a4aede12a07
SHA1:3646b60408d282ceaddfb725ac98a71c276b591f
SHA256:a61a13fc5a91783172920a1418c06578f267b83a026bd126e653b259a6eb4bda
Tags:exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sigma detected: Powershell Defender Exclusion

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe (PID: 4356 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe" MD5: 4629A7D0C64E29CAA63F7A4AEDE12A07)
    • conhost.exe (PID: 628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6704 cmdline: C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 5564 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • WmiPrvSE.exe (PID: 6236 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'", CommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe, ParentProcessId: 4356, ParentProcessName: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'", ProcessId: 6704, ProcessName: cmd.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'", CommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe, ParentProcessId: 4356, ParentProcessName: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'", ProcessId: 6704, ProcessName: cmd.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6704, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'", ProcessId: 5564, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.1% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeJoe Sandbox ML: detected
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: F:\Static AntiCheat\Updater Clever Launcher\x64\Release\Updater Clever Launcher.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
Source: Binary string: F:\Static AntiCheat\Updater Clever Launcher\x64\Release\Updater Clever Launcher.pdb$$ source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeCode function: 0_2_00007FF79EA813D0 RegCreateKeyExA,RegQueryValueExA,RegCloseKey,DeleteFileA,memmove,Concurrency::cancel_current_task,memmove,URLDownloadToFileA,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,MessageBoxA,exit,MessageBoxA,exit,0_2_00007FF79EA813D0
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeString found in binary or memory: https://cdn.cleversquad.online/cdn/CleverClient/CleverLauncher.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeString found in binary or memory: https://cdn.cleversquad.online/cdn/CleverClient/CleverLauncher.exeFailed
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeString found in binary or memory: https://cleversquad.online/0
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeString found in binary or memory: https://sectigo.com/CPS0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeCode function: 0_2_00007FF79EA813D00_2_00007FF79EA813D0
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeStatic PE information: invalid certificate
Source: classification engineClassification label: mal60.evad.winEXE@7/5@0/0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:628:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kseaghrs.m5x.ps1Jump to behavior
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: F:\Static AntiCheat\Updater Clever Launcher\x64\Release\Updater Clever Launcher.pdb source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
Source: Binary string: F:\Static AntiCheat\Updater Clever Launcher\x64\Release\Updater Clever Launcher.pdb$$ source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5692Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4151Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4576Thread sleep count: 5692 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4576Thread sleep count: 4151 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6976Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeCode function: 0_2_00007FF79EA82500 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF79EA82500
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeCode function: 0_2_00007FF79EA81FD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF79EA81FD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeCode function: 0_2_00007FF79EA826A4 SetUnhandledExceptionFilter,0_2_00007FF79EA826A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeCode function: 0_2_00007FF79EA82500 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF79EA82500

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exeCode function: 0_2_00007FF79EA823D8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF79EA823D8

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		LSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS21
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1501349 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 29/08/2024 Architecture: WINDOWS Score: 60 23 Machine Learning detection for sample 2->23 25 AI detected suspicious sample 2->25 27 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->27 8 SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe 1 2->8         started        process3 signatures4 29 Adds a directory exclusion to Windows Defender 8->29 11 cmd.exe 1 8->11         started        14 conhost.exe 8->14         started        process5 signatures6 31 Adds a directory exclusion to Windows Defender 11->31 16 powershell.exe 23 11->16         started        process7 signatures8 21 Loading BitLocker PowerShell Module 16->21 19 WmiPrvSE.exe 16->19         started        process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe3%ReversingLabs
SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://sectigo.com/CPS00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl00%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#0%Avira URL Cloudsafe
https://cleversquad.online/00%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#0%Avira URL Cloudsafe
https://cdn.cleversquad.online/cdn/CleverClient/CleverLauncher.exe0%Avira URL Cloudsafe
https://cdn.cleversquad.online/cdn/CleverClient/CleverLauncher.exeFailed0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exefalse
  • Avira URL Cloud: safe
unknown
https://cleversquad.online/0SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exefalse
  • Avira URL Cloud: safe
unknown
https://sectigo.com/CPS0SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exefalse
  • URL Reputation: safe
unknown
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exefalse
  • Avira URL Cloud: safe
unknown
http://ocsp.sectigo.com0SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exefalse
  • URL Reputation: safe
unknown
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zSecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exefalse
  • Avira URL Cloud: safe
unknown
https://cdn.cleversquad.online/cdn/CleverClient/CleverLauncher.exeFailedSecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exefalse
  • Avira URL Cloud: safe
unknown
https://cdn.cleversquad.online/cdn/CleverClient/CleverLauncher.exeSecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exefalse
  • Avira URL Cloud: safe
unknown
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exefalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1501349
Start date and time:2024-08-29 19:23:30 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 40s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
Detection:MAL
Classification:mal60.evad.winEXE@7/5@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 3
  • Number of non-executed functions: 7
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtCreateKey calls found.
  • VT rate limit hit for: SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe

Simulations

Behavior and APIs

TimeTypeDescription
13:24:49API Interceptor18x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:data
Category:dropped
Size (bytes):64
Entropy (8bit):1.1940658735648508
Encrypted:false
SSDEEP:3:NlllulxmH/lZ:NllUg
MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
Malicious:false
Reputation:moderate, very likely benign file
Preview:@...e................................. ..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0aumyvkw.nef.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Reputation:high, very likely benign file
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g45535fo.20t.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Reputation:high, very likely benign file
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kseaghrs.m5x.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xo1yfyfk.ljk.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):60
Entropy (8bit):4.038920595031593
Encrypted:false
SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:false
Preview:# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):6.1868791730052095
TrID:
  • Win64 Executable Console (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
File size:27'384 bytes
MD5:4629a7d0c64e29caa63f7a4aede12a07
SHA1:3646b60408d282ceaddfb725ac98a71c276b591f
SHA256:a61a13fc5a91783172920a1418c06578f267b83a026bd126e653b259a6eb4bda
SHA512:9cc8734a02a76af07ca39bdd26788307856b7c5653b3be41416dcd84e05087fcddd0f1d10e8ff0f8a75d286fc24c19ab0d3a471146ad343601ea44052d56c0a1
SSDEEP:384:flrcGPGZee0QPt0GkaUVQLBeuMsx2n9J0+1/wfT3ir2WSx7bLzWY:9cV/PFkaUWLcuMswfA3iPmbLn
TLSH:36C28E473F4A28EAD5568138C0EB4937DAB376864B2056CF63B0816A1F763C07D7694F
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2...S...S...S...+...S..L....S..L....S..L....S..L....S...+...S...S...S..|....S..|.q..S..|....S..Rich.S..................PE..d..

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x140001fc0
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x140000000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x66C20B22 [Sun Aug 18 14:54:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:086ee368293949084c74de97a4d6a155

Authenticode Signature

Signature Valid:false
Signature Issuer:CN=Clever Games Limited, O=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, C=US
Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:-2146762487
Not Before, Not After
  • 12/08/2024 02:00:00 12/08/2034 02:00:00
Subject Chain
  • CN=Clever Games Limited, O=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, C=US
Version:3
Thumbprint MD5:448D7A8B4341DFCC8C38DEE701B9F59C
Thumbprint SHA-1:389195E10B6F2A3BD8A9D3DD457D021EEAA82B65
Thumbprint SHA-256:FB1CD0CB9DBA71FF3D792CF50734633E45A9107576DB9A75259315069D8533B0
Serial:3D3058C05803AC2A

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F713CE18C34h
dec eax
add esp, 28h
jmp 00007F713CE18697h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00001063h]
dec eax
mov ecx, ebx
call dword ptr [00001032h]
call dword ptr [0000105Ch]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00001050h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [00001044h]
test eax, eax
je 00007F713CE18829h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [00003192h]
call 00007F713CE188CEh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00003279h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00003209h], eax
dec eax
mov eax, dword ptr [00003262h]
dec eax
mov dword ptr [000030D3h], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [000031D7h], eax
mov dword ptr [000030ADh], C0000409h
mov dword ptr [000030A7h], 00000001h
mov dword ptr [000030B1h], 00000001h

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x40740x118.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x70000x1e0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x60000x294.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x4a000x20f8
IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000x58.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x36900x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x35500x140.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x30000x2b8.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x1c390x1e00d2c1bf68ee332fdf8e3ffb3a9c26503dFalse0.583203125data5.892569035665592IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x30000x1ce40x1e00615adabd8e4c8016330518610b9c2263False0.380859375data4.34697013494644IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x50000x7180x200b06f861a260869d53c5c0f04a73da719False0.2265625data1.9906479179666974IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x60000x2940x4002ce3304d57fe7cceff29ba2416a33364False0.3544921875data2.768136780192829IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x70000x1e00x2000b35de07beeb30d1d6013cbca2846303False0.525390625data4.701503258251789IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x80000x580x2009e3f9691b7573d975b37627ea418bee5False0.201171875data1.2138565849933087IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_MANIFEST0x70600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

Imports

DLLImport
KERNEL32.dllUnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, DeleteFileA, GetModuleFileNameA, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetModuleHandleW, RtlCaptureContext
USER32.dllMessageBoxA
ADVAPI32.dllRegCloseKey, RegQueryValueExA, RegCreateKeyExA
SHELL32.dllShellExecuteA
MSVCP140.dll??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?uncaught_exception@std@@YA_NXZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Xlength_error@std@@YAXPEBD@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?good@ios_base@std@@QEBA_NXZ
urlmon.dllURLDownloadToFileA
VCRUNTIME140_1.dll__CxxFrameHandler4
VCRUNTIME140.dll__std_terminate, __std_exception_copy, _CxxThrowException, memmove, memcpy, __current_exception_context, __C_specific_handler, __std_exception_destroy, memset, __current_exception
api-ms-win-crt-runtime-l1-1-0.dll_initialize_onexit_table, _register_onexit_function, _crt_atexit, terminate, _register_thread_local_exe_atexit_callback, _c_exit, _exit, exit, _cexit, _initterm_e, _initterm, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, __p___argv, _set_app_type, __p___argc, _invalid_parameter_noinfo_noreturn, system, _seh_filter_exe
api-ms-win-crt-heap-l1-1-0.dll_set_new_mode, free, malloc, _callnewh
api-ms-win-crt-math-l1-1-0.dll__setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll_set_fmode, __p__commode
api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:13:24:47
Start date:29/08/2024
Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe"
Imagebase:0x7ff79ea80000
File size:27'384 bytes
MD5 hash:4629A7D0C64E29CAA63F7A4AEDE12A07
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:13:24:47
Start date:29/08/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff68cce0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:13:24:47
Start date:29/08/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"
Imagebase:0x7ff63fb00000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:13:24:47
Start date:29/08/2024
Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):false
Commandline:powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"
Imagebase:0x7ff6eb350000
File size:452'608 bytes
MD5 hash:04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:5
Start time:13:24:51
Start date:29/08/2024
Path:C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:0x7ff6220e0000
File size:496'640 bytes
MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:true
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:16.3%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:19.6%
    Total number of Nodes:199
    Total number of Limit Nodes:5
    execution_graph 736 7ff79ea82bc8 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N 737 7ff79ea82a08 738 7ff79ea82a40 __GSHandlerCheckCommon 737->738 739 7ff79ea82a6c 738->739 740 7ff79ea82a5b __CxxFrameHandler4 738->740 740->739 770 7ff79ea81e28 774 7ff79ea826a4 SetUnhandledExceptionFilter 770->774 775 7ff79ea81d34 776 7ff79ea81d4c 775->776 777 7ff79ea81d56 775->777 778 7ff79ea81d2c free 776->778 778->777 779 7ff79ea81f72 784 7ff79ea82650 GetModuleHandleW 779->784 782 7ff79ea81fb8 _exit 783 7ff79ea81f7d 785 7ff79ea81f79 784->785 785->782 785->783 786 7ff79ea810b0 __std_exception_destroy 787 7ff79ea81730 788 7ff79ea81743 787->788 789 7ff79ea8176f 787->789 790 7ff79ea81788 _invalid_parameter_noinfo_noreturn 788->790 791 7ff79ea81767 788->791 792 7ff79ea81d2c free 791->792 792->789 741 7ff79ea82b3c 742 7ff79ea82b54 741->742 747 7ff79ea818b0 742->747 745 7ff79ea818b0 9 API calls 746 7ff79ea82b75 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z 745->746 748 7ff79ea818e0 ?good@ios_base@std@ 747->748 750 7ff79ea81933 748->750 754 7ff79ea81961 748->754 751 7ff79ea81949 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 ?good@ios_base@std@ 750->751 750->754 751->754 753 7ff79ea819bb ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J 755 7ff79ea8196b ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N ?uncaught_exception@std@ 753->755 756 7ff79ea819d8 753->756 754->753 754->755 759 7ff79ea81995 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 754->759 757 7ff79ea81a45 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 755->757 758 7ff79ea81a4f 755->758 756->755 760 7ff79ea819dd ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD 756->760 757->758 758->745 759->754 759->755 760->755 760->756 793 7ff79ea81a17 794 7ff79ea81a25 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N ?uncaught_exception@std@ 793->794 795 7ff79ea81a45 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 794->795 796 7ff79ea81a4f 794->796 795->796 572 7ff79ea81e44 573 7ff79ea81e5d 572->573 574 7ff79ea81f9b 573->574 575 7ff79ea81e65 573->575 629 7ff79ea82500 IsProcessorFeaturePresent 574->629 577 7ff79ea81fa5 575->577 578 7ff79ea81e83 __scrt_release_startup_lock 575->578 579 7ff79ea82500 9 API calls 577->579 581 7ff79ea81ea8 578->581 583 7ff79ea81f2e _get_initial_narrow_environment __p___argv __p___argc 578->583 586 7ff79ea81f26 _register_thread_local_exe_atexit_callback 578->586 580 7ff79ea81fb0 579->580 582 7ff79ea81fb8 _exit 580->582 592 7ff79ea813d0 583->592 586->583 635 7ff79ea81200 GetModuleFileNameA 592->635 595 7ff79ea816f0 MessageBoxA exit 596 7ff79ea814cd 599 7ff79ea814fd 596->599 600 7ff79ea814d4 memmove 596->600 597 7ff79ea81493 597->596 651 7ff79ea811a0 ?_Xlength_error@std@@YAXPEBD 597->651 602 7ff79ea81509 599->602 604 7ff79ea81561 599->604 607 7ff79ea8155b 599->607 601 7ff79ea81595 600->601 603 7ff79ea81cf0 4 API calls 601->603 652 7ff79ea81cf0 602->652 605 7ff79ea815a4 URLDownloadToFileA 603->605 614 7ff79ea81528 memmove 604->614 618 7ff79ea81560 604->618 609 7ff79ea81626 605->609 617 7ff79ea8165b 605->617 661 7ff79ea81100 607->661 613 7ff79ea81656 609->613 621 7ff79ea8164f _invalid_parameter_noinfo_noreturn 609->621 612 7ff79ea81cf0 4 API calls 612->614 664 7ff79ea81d2c 613->664 614->601 615 7ff79ea816a1 _invalid_parameter_noinfo_noreturn 623 7ff79ea816a8 615->623 616 7ff79ea816ad 619 7ff79ea816c8 MessageBoxA exit 616->619 620 7ff79ea816b1 616->620 617->615 617->616 617->623 618->604 618->612 619->595 667 7ff79ea81790 620->667 621->613 625 7ff79ea81d2c free 623->625 625->616 630 7ff79ea82526 629->630 631 7ff79ea82534 memset RtlCaptureContext RtlLookupFunctionEntry 630->631 632 7ff79ea8256e RtlVirtualUnwind 631->632 633 7ff79ea825aa memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 631->633 632->633 634 7ff79ea8262a 633->634 634->577 636 7ff79ea8123a 635->636 650 7ff79ea813ad 635->650 638 7ff79ea81cf0 4 API calls 636->638 640 7ff79ea81256 638->640 642 7ff79ea812c3 640->642 698 7ff79ea81ac0 640->698 643 7ff79ea81311 642->643 645 7ff79ea81ac0 12 API calls 642->645 644 7ff79ea81355 system 643->644 646 7ff79ea81378 644->646 644->650 645->644 647 7ff79ea813a8 646->647 648 7ff79ea813a1 _invalid_parameter_noinfo_noreturn 646->648 649 7ff79ea81d2c free 647->649 648->647 649->650 689 7ff79ea81cd0 650->689 653 7ff79ea81d0a malloc 652->653 654 7ff79ea81cfb 653->654 655 7ff79ea8151f 653->655 654->653 656 7ff79ea81d1a 654->656 655->614 655->615 657 7ff79ea81d25 656->657 727 7ff79ea82170 656->727 659 7ff79ea81100 Concurrency::cancel_current_task __std_exception_copy 657->659 660 7ff79ea81d2b 659->660 662 7ff79ea8110e Concurrency::cancel_current_task 661->662 663 7ff79ea8111f __std_exception_copy 662->663 663->618 665 7ff79ea82190 free 664->665 668 7ff79ea817c0 667->668 668->668 669 7ff79ea817dc 668->669 670 7ff79ea818a3 668->670 671 7ff79ea817e2 memmove 669->671 672 7ff79ea817ff 669->672 733 7ff79ea811a0 ?_Xlength_error@std@@YAXPEBD 670->733 674 7ff79ea816bf 671->674 675 7ff79ea8180b 672->675 676 7ff79ea818a8 672->676 677 7ff79ea81862 672->677 686 7ff79ea811c0 674->686 679 7ff79ea81cf0 4 API calls 675->679 680 7ff79ea81100 Concurrency::cancel_current_task __std_exception_copy 676->680 678 7ff79ea8186f memmove 677->678 681 7ff79ea81cf0 4 API calls 677->681 678->674 682 7ff79ea81821 679->682 683 7ff79ea818ae 680->683 684 7ff79ea81826 681->684 682->684 685 7ff79ea8185b _invalid_parameter_noinfo_noreturn 682->685 684->678 685->677 734 7ff79ea81720 686->734 690 7ff79ea81cd9 689->690 691 7ff79ea813be RegCreateKeyExA RegQueryValueExA RegCloseKey DeleteFileA 690->691 692 7ff79ea82008 IsProcessorFeaturePresent 690->692 691->595 691->597 693 7ff79ea82020 692->693 721 7ff79ea820dc RtlCaptureContext 693->721 699 7ff79ea81aee 698->699 700 7ff79ea81c42 698->700 702 7ff79ea81b4e 699->702 705 7ff79ea81b7a 699->705 706 7ff79ea81b41 699->706 726 7ff79ea811a0 ?_Xlength_error@std@@YAXPEBD 700->726 704 7ff79ea81cf0 4 API calls 702->704 703 7ff79ea81c47 708 7ff79ea81100 Concurrency::cancel_current_task __std_exception_copy 703->708 707 7ff79ea81b63 704->707 705->707 710 7ff79ea81cf0 4 API calls 705->710 706->702 706->703 709 7ff79ea81bfb _invalid_parameter_noinfo_noreturn 707->709 712 7ff79ea81bae memmove memmove 707->712 715 7ff79ea81c02 707->715 711 7ff79ea81c4d ?uncaught_exception@std@ 708->711 709->715 710->707 713 7ff79ea81c6d 711->713 714 7ff79ea81c63 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 711->714 716 7ff79ea81bd9 712->716 717 7ff79ea81bee 712->717 713->642 714->713 718 7ff79ea81c0a memmove 715->718 716->709 716->717 719 7ff79ea81d2c free 717->719 720 7ff79ea81bf9 718->720 719->720 720->642 722 7ff79ea820f6 RtlLookupFunctionEntry 721->722 723 7ff79ea8210c RtlVirtualUnwind 722->723 724 7ff79ea82033 722->724 723->722 723->724 725 7ff79ea81fd4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 724->725 732 7ff79ea82150 727->732 729 7ff79ea8217e _CxxThrowException 730 7ff79ea82190 free 729->730 732->729 735 7ff79ea811c9 ShellExecuteA exit 734->735 761 7ff79ea82c03 _seh_filter_exe 762 7ff79ea81fc0 765 7ff79ea823d8 762->765 766 7ff79ea823fb GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 765->766 767 7ff79ea81fc9 765->767 766->767 768 7ff79ea81000 __std_exception_copy 769 7ff79ea81a80 ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12 798 7ff79ea81060 __std_exception_destroy 799 7ff79ea81088 798->799 800 7ff79ea81095 798->800 801 7ff79ea81d2c free 799->801 801->800 802 7ff79ea81d60 803 7ff79ea81d70 802->803 815 7ff79ea82210 803->815 805 7ff79ea82500 9 API calls 806 7ff79ea81e15 805->806 807 7ff79ea81d94 _RTC_Initialize 812 7ff79ea81df7 807->812 823 7ff79ea82498 InitializeSListHead 807->823 812->805 814 7ff79ea81e05 812->814 816 7ff79ea82221 815->816 820 7ff79ea82253 815->820 817 7ff79ea82290 816->817 821 7ff79ea82226 __scrt_release_startup_lock 816->821 818 7ff79ea82500 9 API calls 817->818 819 7ff79ea8229a 818->819 820->807 821->820 822 7ff79ea82243 _initialize_onexit_table 821->822 822->820

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_00007FF79EA8274C 1 Function_00007FF79EA82BC8 2 Function_00007FF79EA821D4 22 Function_00007FF79EA824A8 2->22 45 Function_00007FF79EA82788 2->45 3 Function_00007FF79EA81FD4 4 Function_00007FF79EA810D0 5 Function_00007FF79EA81CD0 5->3 66 Function_00007FF79EA820DC 5->66 6 Function_00007FF79EA813D0 16 Function_00007FF79EA811C0 6->16 21 Function_00007FF79EA81D2C 6->21 40 Function_00007FF79EA811A0 6->40 51 Function_00007FF79EA81790 6->51 56 Function_00007FF79EA81200 6->56 57 Function_00007FF79EA81100 6->57 63 Function_00007FF79EA81CF0 6->63 7 Function_00007FF79EA82650 8 Function_00007FF79EA82150 9 Function_00007FF79EA82BBC 10 Function_00007FF79EA82B3C 29 Function_00007FF79EA818B0 10->29 11 Function_00007FF79EA824B8 12 Function_00007FF79EA81E44 12->2 12->6 12->7 25 Function_00007FF79EA82334 12->25 34 Function_00007FF79EA8229C 12->34 35 Function_00007FF79EA82198 12->35 59 Function_00007FF79EA82500 12->59 61 Function_00007FF79EA824E8 12->61 64 Function_00007FF79EA824F0 12->64 69 Function_00007FF79EA82358 12->69 13 Function_00007FF79EA81040 14 Function_00007FF79EA823C0 54 Function_00007FF79EA82384 14->54 15 Function_00007FF79EA824C0 15->11 30 Function_00007FF79EA824B0 15->30 42 Function_00007FF79EA81720 16->42 17 Function_00007FF79EA81AC0 17->21 17->40 17->57 17->63 18 Function_00007FF79EA81FC0 68 Function_00007FF79EA823D8 18->68 19 Function_00007FF79EA8232D 20 Function_00007FF79EA824AC 23 Function_00007FF79EA81E28 38 Function_00007FF79EA826A4 23->38 53 Function_00007FF79EA82484 23->53 24 Function_00007FF79EA826B4 26 Function_00007FF79EA82934 25->26 27 Function_00007FF79EA81D34 27->21 28 Function_00007FF79EA82BB0 31 Function_00007FF79EA810B0 32 Function_00007FF79EA81730 32->21 33 Function_00007FF79EA82B30 35->26 36 Function_00007FF79EA82498 37 Function_00007FF79EA81A17 39 Function_00007FF79EA82C21 41 Function_00007FF79EA82BA0 43 Function_00007FF79EA82A08 46 Function_00007FF79EA82A88 43->46 44 Function_00007FF79EA82488 47 Function_00007FF79EA82710 48 Function_00007FF79EA82210 48->26 48->59 49 Function_00007FF79EA82490 50 Function_00007FF79EA81C90 51->40 51->57 51->63 52 Function_00007FF79EA824F8 55 Function_00007FF79EA82C03 56->5 56->17 56->21 56->63 57->4 58 Function_00007FF79EA81000 59->52 60 Function_00007FF79EA81A80 62 Function_00007FF79EA81F72 62->7 63->57 65 Function_00007FF79EA82170 63->65 65->8 67 Function_00007FF79EA824DC 69->22 70 Function_00007FF79EA81160 71 Function_00007FF79EA81060 71->21 72 Function_00007FF79EA81D60 72->14 72->15 72->20 72->22 72->36 72->44 72->47 72->48 72->49 72->53 72->59 72->67

    Executed Functions

    Function 00007FF79EA813D0 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 201registryfilewindowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 7ff79ea813d0-7ff79ea8148d call 7ff79ea81200 RegCreateKeyExA RegQueryValueExA RegCloseKey DeleteFileA 3 7ff79ea81493-7ff79ea814af 0->3 4 7ff79ea816f0-7ff79ea81717 MessageBoxA exit 0->4 5 7ff79ea814b0-7ff79ea814b7 3->5 5->5 6 7ff79ea814b9-7ff79ea814c6 5->6 7 7ff79ea814ce-7ff79ea814d2 6->7 8 7ff79ea814c8-7ff79ea814cd call 7ff79ea811a0 6->8 10 7ff79ea814fd-7ff79ea81507 7->10 11 7ff79ea814d4-7ff79ea814f8 memmove 7->11 8->7 13 7ff79ea81509-7ff79ea81513 10->13 14 7ff79ea81536-7ff79ea81550 10->14 12 7ff79ea81595-7ff79ea81624 call 7ff79ea81cf0 URLDownloadToFileA 11->12 26 7ff79ea8165b-7ff79ea81676 12->26 27 7ff79ea81626-7ff79ea81638 12->27 17 7ff79ea81517-7ff79ea81522 call 7ff79ea81cf0 13->17 18 7ff79ea81552-7ff79ea81559 14->18 19 7ff79ea81561-7ff79ea81564 14->19 33 7ff79ea81528-7ff79ea81534 17->33 34 7ff79ea816a1-7ff79ea816a7 _invalid_parameter_noinfo_noreturn 17->34 18->17 22 7ff79ea8155b 18->22 23 7ff79ea81566-7ff79ea8156e call 7ff79ea81cf0 19->23 24 7ff79ea81570 19->24 29 7ff79ea8155b-7ff79ea81560 call 7ff79ea81100 22->29 25 7ff79ea81573-7ff79ea81591 memmove 23->25 24->25 25->12 35 7ff79ea816ad-7ff79ea816af 26->35 36 7ff79ea81678-7ff79ea8168a 26->36 31 7ff79ea8163a-7ff79ea8164d 27->31 32 7ff79ea81656 call 7ff79ea81d2c 27->32 29->19 31->32 41 7ff79ea8164f-7ff79ea81655 _invalid_parameter_noinfo_noreturn 31->41 32->26 33->25 44 7ff79ea816a8 call 7ff79ea81d2c 34->44 39 7ff79ea816c8-7ff79ea816ef MessageBoxA exit 35->39 40 7ff79ea816b1-7ff79ea816c7 call 7ff79ea81790 call 7ff79ea811c0 35->40 43 7ff79ea8168c-7ff79ea8169f 36->43 36->44 39->4 40->39 41->32 43->34 43->44 44->35
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1540771743.00007FF79EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA80000, based on PE: true
    • Associated: 00000000.00000002.1540759284.00007FF79EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540784729.00007FF79EA83000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540798891.00007FF79EA85000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540811861.00007FF79EA86000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79ea80000_SecuriteInfo.jbxd
    Similarity
    • API ID: File_invalid_parameter_noinfo_noreturn$Messageexitmemmove$CloseConcurrency::cancel_current_taskCreateDeleteDownloadModuleNameQueryValuemallocsystem
    • String ID: ?$Error DWN$Error RGD$Failed update launcher!$Name$Software\CleverRust
    • API String ID: 2251633304-4179195109
    • Opcode ID: eaaf4bbe5c130d1b4c88a3b3912ab3bc90c041f9caa410d2b81db9e23be26614
    • Instruction ID: b0bf50ac1f2f8636ef2f99c328ec65b40db2f29cae6e013d7b54363de87293f7
    • Opcode Fuzzy Hash: eaaf4bbe5c130d1b4c88a3b3912ab3bc90c041f9caa410d2b81db9e23be26614
    • Instruction Fuzzy Hash: 25916471E08B8185EB24AB74E4807B9A761FB647A4F801335DA9D16AF6DF7CE145C320
    Function 00007FF79EA81200 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103processCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetModuleFileNameA.KERNEL32 ref: 00007FF79EA8122C
      • Part of subcall function 00007FF79EA81CF0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF79EA81256), ref: 00007FF79EA81D0A
    • system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF79EA81366
    • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF79EA813A1
      • Part of subcall function 00007FF79EA81AC0: memmove.VCRUNTIME140 ref: 00007FF79EA81BB4
      • Part of subcall function 00007FF79EA81AC0: memmove.VCRUNTIME140 ref: 00007FF79EA81BC2
      • Part of subcall function 00007FF79EA81AC0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF79EA81BFB
      • Part of subcall function 00007FF79EA81AC0: memmove.VCRUNTIME140 ref: 00007FF79EA81C13
      • Part of subcall function 00007FF79EA81AC0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF79EA81C48
      • Part of subcall function 00007FF79EA81AC0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF79EA81C59
      • Part of subcall function 00007FF79EA81AC0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF79EA81C66
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1540771743.00007FF79EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA80000, based on PE: true
    • Associated: 00000000.00000002.1540759284.00007FF79EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540784729.00007FF79EA83000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540798891.00007FF79EA85000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540811861.00007FF79EA86000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79ea80000_SecuriteInfo.jbxd
    Similarity
    • API ID: memmove$_invalid_parameter_noinfo_noreturn$?uncaught_exception@std@@Concurrency::cancel_current_taskD@std@@@std@@FileModuleNameOsfx@?$basic_ostream@U?$char_traits@mallocsystem
    • String ID: 6$?$Path '
    • API String ID: 646485290-78544744
    • Opcode ID: b464e89bfd4fd63e614a86b06d2c7d5b33770428fe1eae672cb9f4610c30a6c7
    • Instruction ID: 4171bf5141502870fd8ba6fd4a32345ae54826bef706083388f50d836f98ecc6
    • Opcode Fuzzy Hash: b464e89bfd4fd63e614a86b06d2c7d5b33770428fe1eae672cb9f4610c30a6c7
    • Instruction Fuzzy Hash: C2517532A1CB8181E760DB34E5807BAB760FBA5794F805231EA9D43AB5DF7CD184C720
    Function 00007FF79EA81E44 Relevance: 10.6, APIs: 7, Instructions: 94COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1540771743.00007FF79EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA80000, based on PE: true
    • Associated: 00000000.00000002.1540759284.00007FF79EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540784729.00007FF79EA83000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540798891.00007FF79EA85000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540811861.00007FF79EA86000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79ea80000_SecuriteInfo.jbxd
    Similarity
    • API ID: __p___argc__p___argv__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
    • String ID:
    • API String ID: 1328870896-0
    • Opcode ID: b76e057ed8a27bb319d37403d3924f6f1c66b6829f1aa4c92c80aba9587ff485
    • Instruction ID: c52494edbe8e5d4e0b9168b3591e381f72b5ef5b7a9e748f87ecd73f4e779d4b
    • Opcode Fuzzy Hash: b76e057ed8a27bb319d37403d3924f6f1c66b6829f1aa4c92c80aba9587ff485
    • Instruction Fuzzy Hash: A031F731E0820381EA34BB35A4D5BB9A391EFA9784FC45435EA4E172F7DF2CA8458371

    Non-executed Functions

    Function 00007FF79EA82500 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1540771743.00007FF79EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA80000, based on PE: true
    • Associated: 00000000.00000002.1540759284.00007FF79EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540784729.00007FF79EA83000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540798891.00007FF79EA85000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540811861.00007FF79EA86000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79ea80000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
    • String ID:
    • API String ID: 313767242-0
    • Opcode ID: 0179a177e45da51513cbb762f8243b75536e9a99a52b990720e6a54adb8c2a84
    • Instruction ID: bf9b9a112237296624c367138ad26ed33c194c8db664bce8dff69300f0e42605
    • Opcode Fuzzy Hash: 0179a177e45da51513cbb762f8243b75536e9a99a52b990720e6a54adb8c2a84
    • Instruction Fuzzy Hash: A0310C72609B8196EB749F60E890BB9B370FB88744F84443ADA4E47AA5DF38D548C730
    Function 00007FF79EA823D8 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1540771743.00007FF79EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA80000, based on PE: true
    • Associated: 00000000.00000002.1540759284.00007FF79EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540784729.00007FF79EA83000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540798891.00007FF79EA85000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540811861.00007FF79EA86000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79ea80000_SecuriteInfo.jbxd
    Similarity
    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
    • String ID:
    • API String ID: 2933794660-0
    • Opcode ID: ece9d28911f072f010a19d2c1813fdee6b9268cba813eeb7648ffe78b66c9619
    • Instruction ID: c6015621ee2783e11331a5f372317804805559892324ebee632c6ad0fb6e5b3a
    • Opcode Fuzzy Hash: ece9d28911f072f010a19d2c1813fdee6b9268cba813eeb7648ffe78b66c9619
    • Instruction Fuzzy Hash: D3114832B14B018AEB109B70E8946B873B4FB19758F850A31DA6D867A4EF78D15883A0
    Function 00007FF79EA826A4 Relevance: .0, Instructions: 2COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1540771743.00007FF79EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA80000, based on PE: true
    • Associated: 00000000.00000002.1540759284.00007FF79EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540784729.00007FF79EA83000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540798891.00007FF79EA85000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540811861.00007FF79EA86000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79ea80000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 34c145e04373488857d605e4a5e4627ee764b7646b37798ef7d3eef1cc8f80c1
    • Instruction ID: 4f3371b3fb9b2cf5ae861405334945084d626db4744add3dccbf739ff50f3e0e
    • Opcode Fuzzy Hash: 34c145e04373488857d605e4a5e4627ee764b7646b37798ef7d3eef1cc8f80c1
    • Instruction Fuzzy Hash: 20A00131908802A1E628AB20E9A0830A230FB64704B820471C00D410719E2DA6489230
    Function 00007FF79EA818B0 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 126 7ff79ea818b0-7ff79ea818d9 127 7ff79ea818e0-7ff79ea818e7 126->127 127->127 128 7ff79ea818e9-7ff79ea818f8 127->128 129 7ff79ea818fa-7ff79ea818fd 128->129 130 7ff79ea81904 128->130 129->130 131 7ff79ea818ff-7ff79ea81902 129->131 132 7ff79ea81906-7ff79ea81916 130->132 131->132 133 7ff79ea81918-7ff79ea8191e 132->133 134 7ff79ea8191f-7ff79ea81931 ?good@ios_base@std@@QEBA_NXZ 132->134 133->134 135 7ff79ea81963-7ff79ea81969 134->135 136 7ff79ea81933-7ff79ea81942 134->136 140 7ff79ea8196b-7ff79ea81970 135->140 141 7ff79ea81975-7ff79ea81988 135->141 138 7ff79ea81944-7ff79ea81947 136->138 139 7ff79ea81961 136->139 138->139 142 7ff79ea81949-7ff79ea8195f ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ ?good@ios_base@std@@QEBA_NXZ 138->142 139->135 143 7ff79ea81a25-7ff79ea81a43 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z ?uncaught_exception@std@@YA_NXZ 140->143 144 7ff79ea819bb-7ff79ea819d6 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z 141->144 145 7ff79ea8198a 141->145 142->135 148 7ff79ea81a45-7ff79ea81a4e ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ 143->148 149 7ff79ea81a4f-7ff79ea81a5f 143->149 146 7ff79ea819fe 144->146 147 7ff79ea819d8-7ff79ea819db 144->147 150 7ff79ea81990-7ff79ea81993 145->150 154 7ff79ea81a01 146->154 152 7ff79ea819dd-7ff79ea819f7 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 147->152 153 7ff79ea81a05-7ff79ea81a15 147->153 148->149 155 7ff79ea81a68-7ff79ea81a7c 149->155 156 7ff79ea81a61-7ff79ea81a67 149->156 150->144 151 7ff79ea81995-7ff79ea819af ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z 150->151 157 7ff79ea819b6-7ff79ea819b9 151->157 158 7ff79ea819b1-7ff79ea819b4 151->158 152->146 159 7ff79ea819f9-7ff79ea819fc 152->159 153->143 154->153 156->155 157->150 158->154 159->147
    APIs
    • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF79EA81929
    • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF79EA81949
    • ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF79EA81959
    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF79EA819A6
    • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF79EA819CD
    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF79EA819EE
    • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF79EA81A34
    • ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF79EA81A3B
    • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF79EA81A48
    Memory Dump Source
    • Source File: 00000000.00000002.1540771743.00007FF79EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA80000, based on PE: true
    • Associated: 00000000.00000002.1540759284.00007FF79EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540784729.00007FF79EA83000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540798891.00007FF79EA85000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540811861.00007FF79EA86000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79ea80000_SecuriteInfo.jbxd
    Similarity
    • API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
    • String ID:
    • API String ID: 3274656010-0
    • Opcode ID: ea5ab88f0423b1737ac0bfdfde8ebed26f9c5f59ff79b0fea0eb2f74e730f679
    • Instruction ID: c88b0440976a266e6beb5d1f80a3a0c24140c7a73f421c3c65c98a8f6fe7ac8c
    • Opcode Fuzzy Hash: ea5ab88f0423b1737ac0bfdfde8ebed26f9c5f59ff79b0fea0eb2f74e730f679
    • Instruction Fuzzy Hash: 5451DF32A08A4181EB319F29E5D4A38EBA0EBA5F95B95C531CA5E437B1CF3DD446C320
    Function 00007FF79EA81AC0 Relevance: 10.6, APIs: 7, Instructions: 133COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1540771743.00007FF79EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA80000, based on PE: true
    • Associated: 00000000.00000002.1540759284.00007FF79EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540784729.00007FF79EA83000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540798891.00007FF79EA85000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540811861.00007FF79EA86000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79ea80000_SecuriteInfo.jbxd
    Similarity
    • API ID: memmove$?uncaught_exception@std@@Concurrency::cancel_current_taskD@std@@@std@@Osfx@?$basic_ostream@U?$char_traits@_invalid_parameter_noinfo_noreturn
    • String ID:
    • API String ID: 599182731-0
    • Opcode ID: b13549cae8f5b26e3a1728ac7ff7f70701c5e1995ce9922caf182689364f395a
    • Instruction ID: b8c89cfd230dd2814a8e34473ab37c9c1f990227f4d321cdf7f075a373b9965f
    • Opcode Fuzzy Hash: b13549cae8f5b26e3a1728ac7ff7f70701c5e1995ce9922caf182689364f395a
    • Instruction Fuzzy Hash: 3141A072B08A4181EA30AB36D484A79E761FB68FD4F844631DE5D077A5DF3CD4518330
    Function 00007FF79EA81790 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1540771743.00007FF79EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA80000, based on PE: true
    • Associated: 00000000.00000002.1540759284.00007FF79EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540784729.00007FF79EA83000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540798891.00007FF79EA85000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540811861.00007FF79EA86000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79ea80000_SecuriteInfo.jbxd
    Similarity
    • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
    • String ID:
    • API String ID: 2075926362-0
    • Opcode ID: 868eb938bda0d90be520fe1f9dfa95e41f913a0aa771ec102377480b85a87ed9
    • Instruction ID: 15cae128a6aff92d44ef9af01fced12c1b62dbf6c32d37853cdbf9102b26ac58
    • Opcode Fuzzy Hash: 868eb938bda0d90be520fe1f9dfa95e41f913a0aa771ec102377480b85a87ed9
    • Instruction Fuzzy Hash: 1031AF32A0978141EA34AF71A580779A751EB34BA4F980734DABD067E2DE7CA0928360
    Function 00007FF79EA811C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 241 7ff79ea811c0-7ff79ea811fa call 7ff79ea81720 ShellExecuteA exit
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1540771743.00007FF79EA81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA80000, based on PE: true
    • Associated: 00000000.00000002.1540759284.00007FF79EA80000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540784729.00007FF79EA83000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540798891.00007FF79EA85000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1540811861.00007FF79EA86000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_7ff79ea80000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExecuteShellexit
    • String ID: open
    • API String ID: 137663079-2758837156
    • Opcode ID: 3dc0f27e8526e3c07ce608c9019aeffbcce2f211afe94b6c5be7116b8bda8f86
    • Instruction ID: e66245ae69a32646ed2ba0701a2fba164f5c5f36ecdb61743c3aa284f65ed869
    • Opcode Fuzzy Hash: 3dc0f27e8526e3c07ce608c9019aeffbcce2f211afe94b6c5be7116b8bda8f86
    • Instruction Fuzzy Hash: 0DD0127190864181E3746770B885B7AA660EB587A9F805238D69905AF2CF3C91088731