Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe
Analysis ID: 1521526
MD5: 44263157176d2dce120e56ae6d3ef234
SHA1: 56a7650df487782d51c8974fa0e2686f86132c33
SHA256: bc72cde1d16c58b721d38dae2bcaa61b3a9bc7c22eae128e0439329f32ddef05
Tags: exe
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
One or more processes crash
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe ReversingLabs: Detection: 63%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.4% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_0041F0F0 FindFirstFileA,RemoveDirectoryA,RemoveDirectoryA,DeleteFileA,FindNextFileA,FindClose, 0_2_0041F0F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_0041ED60 FindClose,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA, 0_2_0041ED60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_00407847 GetLogicalDriveStringsA, 0_2_00407847
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 4x nop then push esi 0_2_0041F4D1
Source: Amcache.hve.3.dr String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_0040CC61 SetWindowsHookExA 0000000D,0040D0C3,?,00000000 0_2_0040CC61
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_0040C4BD OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0040C4BD
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_0040C4BD OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0040C4BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_0040C39B GlobalAlloc,GlobalLock,RtlMoveMemory,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0040C39B
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_0040DEC4 GetCurrentProcess,OpenProcess,LocalAlloc,NtQueryInformationProcess,LocalFree,CloseHandle, 0_2_0040DEC4
Contains functionality to delete services
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_0041293F OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle, 0_2_0041293F
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_00423D60 0_2_00423D60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_004242E0 0_2_004242E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_004216A0 0_2_004216A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_00422F90 0_2_00422F90
One or more processes crash
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 488
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe, 00000000.00000000.1893032318.000000000043A000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamewininit.exeD vs SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe, 00000000.00000002.2033501137.000000000077E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewininit.exeD vs SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Binary or memory string: OriginalFilenamewininit.exeD vs SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal68.spyw.winEXE@2/5@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle, 0_2_0041273E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_0040C6B5 CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,CloseHandle, 0_2_0040C6B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_00413144 OpenSCManagerA,OpenServiceA,ChangeServiceConfigA,CloseServiceHandle,CloseServiceHandle, 0_2_00413144
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7008
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\6511a8d9-44cd-43fa-b20c-0b3db0d90bac Jump to behavior
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 488
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Section loaded: wtsapi32.dll Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_004012AD KiUserExceptionDispatcher,GetSystemMetrics,LoadLibraryA,GetProcAddress,CreateFileA, 0_2_004012AD
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_00424950 push eax; ret 0_2_0042497E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_0040BA88 push E8000001h; iretd 0_2_0040BA8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_00412AB1 OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle, 0_2_00412AB1
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: OpenSCManagerA,EnumServicesStatusA,GetProcessHeap,HeapAlloc,EnumServicesStatusA,RtlMoveMemory,OpenServiceA,QueryServiceConfigA,GetProcessHeap,HeapAlloc,QueryServiceConfigA,RtlMoveMemory,GetProcessHeap,HeapFree,CloseServiceHandle,GetProcessHeap,HeapFree,CloseServiceHandle, 0_2_00414175
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: OpenSCManagerA,EnumServicesStatusA,GlobalAlloc,EnumServicesStatusA,GlobalFree,CloseServiceHandle, 0_2_00415536
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: OpenSCManagerA,EnumServicesStatusExA,GlobalAlloc,EnumServicesStatusExA,RtlMoveMemory,OpenServiceA,QueryServiceConfigA,GlobalAlloc,QueryServiceConfigA,RtlMoveMemory,GlobalFree,CloseServiceHandle,GlobalFree,CloseServiceHandle, 0_2_00415BE0
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe API coverage: 1.7 %
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_0041F0F0 FindFirstFileA,RemoveDirectoryA,RemoveDirectoryA,DeleteFileA,FindNextFileA,FindClose, 0_2_0041F0F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_0041ED60 FindClose,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA, 0_2_0041ED60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_00407847 GetLogicalDriveStringsA, 0_2_00407847
Source: Amcache.hve.3.dr Binary or memory string: VMware
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_004012AD KiUserExceptionDispatcher,GetSystemMetrics,LoadLibraryA,GetProcAddress,CreateFileA, 0_2_004012AD
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_0041D500 GetProcessHeap,RtlAllocateHeap,MessageBoxA, 0_2_0041D500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_004022EE SetUnhandledExceptionFilter, 0_2_004022EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_0040234C SetUnhandledExceptionFilter, 0_2_0040234C
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_00420290 cpuid 0_2_00420290
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: 0_2_0041D770 GetVersionExA, 0_2_0041D770
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.3.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: MsMpEng.exe
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe Code function: \cmd.exe 0_2_00410A09
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1521526 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 28/09/2024 Architecture: WINDOWS Score: 68 11 Antivirus / Scanner detection for submitted sample 2->11 13 Multi AV Scanner detection for submitted file 2->13 15 Machine Learning detection for sample 2->15 17 AI detected suspicious sample 2->17 6 SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe 2->6         started        process3 signatures4 19 Contains functionality to register a low level keyboard hook 6->19 9 WerFault.exe 21 16 6->9         started        process5
No contacted IP infos