Windows Analysis Report
SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe
Analysis ID: 1501355
MD5: 0b1d213e54d820dd3fefa386aa3e1f43
SHA1: 12e6ac4bed321f1a44e6d71338502e3dae943466
SHA256: 0e7ff3739925d9952c557cd8c3454c181549953975cc6241e95a638c52c33dcd
Tags: exe
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Excessive usage of taskkill to terminate processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses taskkill to terminate processes

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.101.104.92/as.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe ReversingLabs: Detection: 60%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.8% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE52D8ED strtol,strchr,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strchr,_strdup,CertOpenStore,GetLastError,free,free,CryptStringToBinaryA,CertFindCertificateInStore,fopen,fseek,ftell,fseek,malloc,fread,fclose,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,CertCloseStore,calloc,CertFreeCertificateContext,fclose,free,CertFreeCertificateContext,free,calloc, 4_2_00007FF6CE52D8ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE549DA0 GetLastError,CreateFileA,GetLastError,GetFileSizeEx,GetLastError,malloc,ReadFile,strstr,strstr,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,GetLastError,CloseHandle,free, 4_2_00007FF6CE549DA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE52FB70 CryptAcquireContextA,CryptCreateHash, 4_2_00007FF6CE52FB70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE52CBE0 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 4_2_00007FF6CE52CBE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE52FBC0 CryptHashData, 4_2_00007FF6CE52FBC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE52FBD0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 4_2_00007FF6CE52FBD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE52CCB0 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 4_2_00007FF6CE52CCB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE5507F0 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 4_2_00007FF6CE5507F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE5528E0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 4_2_00007FF6CE5528E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE549480 CertOpenStore,GetLastError,CertCreateCertificateChainEngine,GetLastError,CertGetCertificateChain,GetLastError,CertGetNameStringA,malloc,CertFindExtension,CryptDecodeObjectEx,CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,CertFreeCertificateChainEngine,CertCloseStore,CertFreeCertificateChain,CertFreeCertificateContext, 4_2_00007FF6CE549480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: -----BEGIN PUBLIC KEY----- 4_2_00007FF6CE512A90
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Binary or memory string: -----BEGIN PUBLIC KEY-----
Contains functionality to create an SMB header
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: mov dword ptr [rbp+04h], 424D53FFh 4_2_00007FF6CE53C4B0
Source: unknown HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: b0E:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\Cybertins\Auth Plus\KeyAuth-CPP-Example-main\x64\Release\FivemUnbanBaimless.pdb source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe
Source: Binary string: E:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\Cybertins\Auth Plus\KeyAuth-CPP-Example-main\x64\Release\FivemUnbanBaimless.pdb source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /api/1.1/ HTTP/1.1Host: keyauth.winAccept: */*Content-Length: 54Content-Type: application/x-www-form-urlencoded
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.0.5 104.26.0.5
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE509770 malloc,recv,free, 4_2_00007FF6CE509770
Source: global traffic DNS traffic detected: DNS query: keyauth.win
Source: unknown HTTP traffic detected: POST /api/1.1/ HTTP/1.1Host: keyauth.winAccept: */*Content-Length: 54Content-Type: application/x-www-form-urlencoded
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe String found in binary or memory: http://185.101.104.92/as.exe
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe String found in binary or memory: http://185.101.104.92/as.exeC:
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E503BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415048357.0000018E503A0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415006221.0000018E503B9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E5037B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415092286.0000018E503BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415006221.0000018E503BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000003.1415092286.0000018E503B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://keyauth.cc/panel/bronkz/valorantplus/
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E5035C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://keyauth.win/api/1.1/
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E5035C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://keyauth.win/api/1.1/ce
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E5035C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://keyauth.win/api/1.1/pace
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE5507F0 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 4_2_00007FF6CE5507F0
Too many similar processes found
Source: cmd.exe Process created: 56
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE522F40 4_2_00007FF6CE522F40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE52D8ED 4_2_00007FF6CE52D8ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE4F18E0 4_2_00007FF6CE4F18E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE51B670 4_2_00007FF6CE51B670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE504510 4_2_00007FF6CE504510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE51C330 4_2_00007FF6CE51C330
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE51A330 4_2_00007FF6CE51A330
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE513FB0 4_2_00007FF6CE513FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE52FF80 4_2_00007FF6CE52FF80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE544F60 4_2_00007FF6CE544F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE4F1000 4_2_00007FF6CE4F1000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE528D90 4_2_00007FF6CE528D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE4FAF0B 4_2_00007FF6CE4FAF0B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE543F30 4_2_00007FF6CE543F30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE53CED0 4_2_00007FF6CE53CED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE540BD0 4_2_00007FF6CE540BD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE4FAD2D 4_2_00007FF6CE4FAD2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE516CE0 4_2_00007FF6CE516CE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE52D9AC 4_2_00007FF6CE52D9AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE52D9B5 4_2_00007FF6CE52D9B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE4FEA20 4_2_00007FF6CE4FEA20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE5507F0 4_2_00007FF6CE5507F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE552870 4_2_00007FF6CE552870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE4FF5B0 4_2_00007FF6CE4FF5B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE52B670 4_2_00007FF6CE52B670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE5383A0 4_2_00007FF6CE5383A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE500340 4_2_00007FF6CE500340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE50C340 4_2_00007FF6CE50C340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE4FC3CD 4_2_00007FF6CE4FC3CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE549480 4_2_00007FF6CE549480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE51D1F0 4_2_00007FF6CE51D1F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE526240 4_2_00007FF6CE526240
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: String function: 00007FF6CE519320 appears 380 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: String function: 00007FF6CE51DDC0 appears 34 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: String function: 00007FF6CE553E18 appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: String function: 00007FF6CE5069E0 appears 49 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: String function: 00007FF6CE51C760 appears 46 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: String function: 00007FF6CE513BF0 appears 70 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: String function: 00007FF6CE51DC50 appears 37 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: String function: 00007FF6CE51DCE0 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: String function: 00007FF6CE5194A0 appears 323 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: String function: 00007FF6CE51C830 appears 36 times
Source: classification engine Classification label: mal80.evad.winEXE@107/28@1/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE505FF0 GetLastError,_errno,FormatMessageA,strchr,_errno,_errno,GetLastError,SetLastError, 4_2_00007FF6CE505FF0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerUI.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "HTTPDebuggerSvc.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe ReversingLabs: Detection: 60%
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory0123456789abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ(nil)(nil)I32I64%ld.%ld$@
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: b0E:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\Cybertins\Auth Plus\KeyAuth-CPP-Example-main\x64\Release\FivemUnbanBaimless.pdb source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe
Source: Binary string: E:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Revendedores Painel\Cybertins\Auth Plus\KeyAuth-CPP-Example-main\x64\Release\FivemUnbanBaimless.pdb source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE51C010 GetModuleHandleA,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free, 4_2_00007FF6CE51C010
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Binary or memory string: TASKKILL /IM OLLYDBG.EXE /F
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Binary or memory string: BAD CASTQWERTYUIOPASDFGHJKLZXCVBNMQWERTYUIOPASDFGHJKLZXCVBNM1234567890 | DEVELOPER : BRONKZ TASKKILL /IM PROCESSHACKER.EXE /FTASKKILL /IM DNSPY.EXE /FTASKKILL /IM CHEATENGINE-X86_64.EXE /FCLSTASKKILL /IM OLLYDBG.EXE /FTASKKILL /IM IDA.EXE /FTASKKILL /IM IDA64.EXE /FTASKKILL /IM RADARE2.EXE /FTASKKILL /IM X64DBG.EXE /FSTOP DEBUGGING U YERK
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Binary or memory string: TASKKILL /IM PROCESSHACKER.EXE /F
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Binary or memory string: TASKKILL /IM X64DBG.EXE /F
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 6057 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe API coverage: 5.7 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe, 00000004.00000002.2528887357.0000018E5037B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>>[$P
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE504D00 GetStdHandle,GetConsoleMode,SetConsoleMode,GetStdHandle,GetConsoleScreenBufferInfoEx,SetConsoleScreenBufferInfoEx,GetConsoleMode,SetConsoleMode,IsDebuggerPresent,system,system,system,system,system,system,system,system,system,system,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetConsoleWindow,GetWindowLongA,SetWindowLongA,GetConsoleWindow,GetWindowRect,MoveWindow,system,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,GetStdHandle,SetConsoleTextAttribute,?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A,??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,Sleep,system,Beep,system,system,exit, 4_2_00007FF6CE504D00
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE553CB8 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, 4_2_00007FF6CE553CB8
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE51C010 GetModuleHandleA,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,malloc,GetSystemDirectoryA,LoadLibraryA,free, 4_2_00007FF6CE51C010
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE4F31E0 GetProcessHeap, 4_2_00007FF6CE4F31E0
Enables debug privileges
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE553AC4 SetUnhandledExceptionFilter, 4_2_00007FF6CE553AC4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE55391C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FF6CE55391C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE55340C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00007FF6CE55340C

HIPS / PFW / Operating System Protection Evasion
barindex
Excessive usage of taskkill to terminate processes
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerPro Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop HTTPDebuggerProSdk Jump to behavior
Uses taskkill to terminate processes
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im HTTPDebuggerSvc.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE553B30 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 4_2_00007FF6CE553B30
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE528410 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,memcmp,closesocket,closesocket,closesocket,closesocket, 4_2_00007FF6CE528410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE51AFE0 memset,strncmp,strncmp,strchr,htons,atoi,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError, 4_2_00007FF6CE51AFE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE53F100 calloc,calloc,calloc,bind,WSAGetLastError, 4_2_00007FF6CE53F100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE53EEC9 calloc,calloc,calloc,bind,WSAGetLastError, 4_2_00007FF6CE53EEC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe Code function: 4_2_00007FF6CE5383A0 calloc,strchr,strncpy,strchr,strncpy,strchr,strtoul,strchr,strtoul,getsockname,WSAGetLastError,free,WSAGetLastError,memcpy,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,free, 4_2_00007FF6CE5383A0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501355 Sample: SecuriteInfo.com.Win64.Drop... Startdate: 29/08/2024 Architecture: WINDOWS Score: 80 34 keyauth.win 2->34 40 Antivirus detection for URL or domain 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 3 other signatures 2->46 8 SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe 1 2->8         started        signatures3 process4 dnsIp5 36 keyauth.win 104.26.0.5, 443, 49709 CLOUDFLARENETUS United States 8->36 38 127.0.0.1 unknown unknown 8->38 11 cmd.exe 1 8->11         started        14 cmd.exe 1 8->14         started        16 cmd.exe 1 8->16         started        18 27 other processes 8->18 process6 signatures7 48 Excessive usage of taskkill to terminate processes 11->48 20 taskkill.exe 1 11->20         started        22 taskkill.exe 1 14->22         started        24 taskkill.exe 1 16->24         started        26 taskkill.exe 1 18->26         started        28 taskkill.exe 1 18->28         started        30 taskkill.exe 1 18->30         started        32 19 other processes 18->32 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.0.5
 keyauth.win United States
13335 CLOUDFLARENETUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
keyauth.win 104.26.0.5 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://keyauth.win/api/1.1/ false
  • Avira URL Cloud: safe
 unknown