Windows Analysis Report
SecuriteInfo.com.FileRepMalware.16359.15944.exe

Overview

General Information

Sample name: SecuriteInfo.com.FileRepMalware.16359.15944.exe
Analysis ID: 1542662
MD5: 1ef81575c0f526800283239b2469818d
SHA1: 16509b0ae23980c3d49afe176d61e770affd8112
SHA256: bf5ae3f1cfe10e6772e1ca445a9a49280141746d9a5a72bccfe3eb5786a6c9a0
Tags: exe
Infos:

Detection

Score: 45
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 47
Range: 0 - 100

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to log keystrokes (.Net Source)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\jusched32.exe ReversingLabs: Detection: 25%
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe ReversingLabs: Detection: 62%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe ReversingLabs: Detection: 60%
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe Virustotal: Detection: 67% Perma Link

Compliance
barindex
Uses 32bit PE files
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe Static PE information: certificate valid
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Core\obj\AWSSDK.Core.Net35\Release\net35\AWSSDK.Core.pdbSHA256 source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmp, AWSSDK.Core.dll.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256 source: mssched.exe, 00000004.00000002.3325444659.000001FC2FAB2000.00000002.00000001.01000000.0000000E.sdmp, Newtonsoft.Json.dll.0.dr
Source: Binary string: C:\Users\bryan\source\repos\pctattletalewindowsjusched\jusched32\obj\Debug\jusched32.pdb source: jusched32.exe.0.dr
Source: Binary string: C:\Users\bryan\source\repos\pctattletalewindows\PCTTRecorder\obj\Debug\mssched.pdb,g source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr
Source: Binary string: 35\Release\net35\AWSSDK.Core.pdb source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\S3\obj\AWSSDK.S3.Net35\Release\net35\AWSSDK.S3.pdbSHA256t source: AWSSDK.S3.dll.0.dr
Source: Binary string: C:\Users\bryan\source\repos\KillProcPCTT\KillProcPCTT\obj\Debug\KillProcPCTT.pdba*{* m*_CorExeMainmscoree.dll source: KillProcPCTT.exe, 00000002.00000000.2071056452.00000000003C2000.00000002.00000001.01000000.00000004.sdmp, KillProcPCTT.exe.0.dr
Source: Binary string: C:\Users\bryan\source\repos\pctattletalewindows\PCTTRecorder\obj\Debug\mssched.pdb source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Core\obj\AWSSDK.Core.Net35\Release\net35\AWSSDK.Core.pdb source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmp, AWSSDK.Core.dll.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: mssched.exe, 00000004.00000002.3325444659.000001FC2FAB2000.00000002.00000001.01000000.0000000E.sdmp, Newtonsoft.Json.dll.0.dr
Source: Binary string: 35\Release\net35\AWSSDK.Core.pdbSHA256 source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\bryan\source\repos\KillProcPCTT\KillProcPCTT\obj\Debug\KillProcPCTT.pdb source: KillProcPCTT.exe, 00000002.00000000.2071056452.00000000003C2000.00000002.00000001.01000000.00000004.sdmp, KillProcPCTT.exe.0.dr
Source: Binary string: .pdb source: AWSSDK.S3.dll.0.dr
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\S3\obj\AWSSDK.S3.Net35\Release\net35\AWSSDK.S3.pdb source: AWSSDK.S3.dll.0.dr
Source: Binary string: C:\Users\norritb\Documents\git\NsisDotNetChecker\plugin\Release\DotNetChecker.pdb source: DotNetChecker.dll.0.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Code function: 0_2_00406873 FindFirstFileW,FindClose, 0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Code function: 4x nop then jmp 00007FF848E72B09h 4_2_00007FF848E70A7A
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Code function: 4x nop then jmp 00007FF848E72B09h 4_2_00007FF848E72A75
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Code function: 4x nop then jmp 00007FF848E71806h 4_2_00007FF848E7165F
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Code function: 4x nop then jmp 00007FF848E91806h 6_2_00007FF848E91606
Source: AWSSDK.Core.dll.0.dr String found in binary or memory: http://169.254.169.254
Source: AWSSDK.Core.dll.0.dr String found in binary or memory: http://169.254.170.2
Source: AWSSDK.Core.dll.0.dr String found in binary or memory: http://169.254.170.2aUnable
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: mssched.exe, 00000006.00000002.2191523893.00000125CA7FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: mssched.exe, 00000004.00000002.3324489153.000001FC2E3B0000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2196206672.00000125E4BD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mssched.exe, 00000004.00000002.3321706794.000001FC14059000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191523893.00000125CA7FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191523893.00000125CA7FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: mssched.exe, 00000004.00000002.3321706794.000001FC14059000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191523893.00000125CA7FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: AWSSDK.S3.dll.0.dr String found in binary or memory: http://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html)
Source: AWSSDK.Core.dll.0.dr String found in binary or memory: http://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-creds.html
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: http://james.newtonking.com/projects/json
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: mssched.exe, 00000004.00000002.3321706794.000001FC14059000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191523893.00000125CA7FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr String found in binary or memory: http://pctattletale.com/amazonfix.php
Source: AWSSDK.S3.dll.0.dr String found in binary or memory: http://s3.amazonaws.com/doc/2006-03-01/
Source: mssched.exe, 00000004.00000002.3322345709.000001FC15A14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr String found in binary or memory: http://www.pctattletale.com/members/autologinfirstrun.php?AuthKey=
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr String found in binary or memory: http://www.pctattletale.com/members/forgotpassword.php
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe, 00000004.00000002.3322345709.000001FC15AA7000.00000004.00000800.00020000.00000000.sdmp, mssched.exe.0.dr String found in binary or memory: http://www.pctattletale.com/removal.php
Source: AWSSDK.Core.dll.0.dr String found in binary or memory: https://ip-ranges.amazonaws.com/ip-ranges.json
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr String found in binary or memory: https://pctattletale.com/app/Authenticationv14.php/AddComputer
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr String found in binary or memory: https://pctattletale.com/app/Authenticationv14.php/AddExclusionAccount
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr String found in binary or memory: https://pctattletale.com/app/Authenticationv14.php/CreateAccount
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr String found in binary or memory: https://pctattletale.com/app/Authenticationv14.php/DeleteComputer
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr String found in binary or memory: https://pctattletale.com/app/Authenticationv14.php/GetComputerStatus
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr String found in binary or memory: https://pctattletale.com/app/Authenticationv14.php/SendKeyStrokes
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr String found in binary or memory: https://pctattletale.com/members/signup.php?source=PCTTSiteWinDownloadqhttp://www.pctattletale.com/m
Source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe, 00000004.00000002.3322345709.000001FC15941000.00000004.00000800.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2192544443.00000125CC3A1000.00000004.00000800.00020000.00000000.sdmp, mssched.exe.0.dr String found in binary or memory: https://pctattletale.com:443/app/Authenticationv14.php
Source: mssched.exe, 00000004.00000002.3321706794.000001FC14059000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191893132.00000125CA9F5000.00000004.00000020.00020000.00000000.sdmp, mssched.exe, 00000006.00000002.2191523893.00000125CA7FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.16359.15944.exe, jusched32.exe.0.dr, KillProcPCTT.exe.0.dr, mssched.exe.0.dr String found in binary or memory: https://sectigo.com/CPS0
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Newtonsoft.Json.dll.0.dr String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: mssched.exe.0.dr, UserActivityHook.cs .Net Code: Start
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056DE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Code function: 0_2_0040755C 0_2_0040755C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Code function: 0_2_00406D85 0_2_00406D85
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Code function: 4_2_00007FF848E75D5F 4_2_00007FF848E75D5F
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Code function: 4_2_00007FF848E754DC 4_2_00007FF848E754DC
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAWSSDK.Core.dllb! vs SecuriteInfo.com.FileRepMalware.16359.15944.exe
Uses 32bit PE files
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: mssched.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AWSSDK.Core.dll.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal45.spyw.winEXE@7/13@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_0040498A
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KillProcPCTT.exe.log Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe File created: C:\Users\user\AppData\Local\Temp\nsq505C.tmp Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe ReversingLabs: Detection: 60%
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe Virustotal: Detection: 67%
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe" -f SecuriteInfo.com.FileRepMalware.16359.15944.exe
Source: unknown Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Process created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe "C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe" -f SecuriteInfo.com.FileRepMalware.16359.15944.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe Static PE information: certificate valid
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe Static file information: File size 1585816 > 1048576
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Core\obj\AWSSDK.Core.Net35\Release\net35\AWSSDK.Core.pdbSHA256 source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmp, AWSSDK.Core.dll.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256 source: mssched.exe, 00000004.00000002.3325444659.000001FC2FAB2000.00000002.00000001.01000000.0000000E.sdmp, Newtonsoft.Json.dll.0.dr
Source: Binary string: C:\Users\bryan\source\repos\pctattletalewindowsjusched\jusched32\obj\Debug\jusched32.pdb source: jusched32.exe.0.dr
Source: Binary string: C:\Users\bryan\source\repos\pctattletalewindows\PCTTRecorder\obj\Debug\mssched.pdb,g source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr
Source: Binary string: 35\Release\net35\AWSSDK.Core.pdb source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\S3\obj\AWSSDK.S3.Net35\Release\net35\AWSSDK.S3.pdbSHA256t source: AWSSDK.S3.dll.0.dr
Source: Binary string: C:\Users\bryan\source\repos\KillProcPCTT\KillProcPCTT\obj\Debug\KillProcPCTT.pdba*{* m*_CorExeMainmscoree.dll source: KillProcPCTT.exe, 00000002.00000000.2071056452.00000000003C2000.00000002.00000001.01000000.00000004.sdmp, KillProcPCTT.exe.0.dr
Source: Binary string: C:\Users\bryan\source\repos\pctattletalewindows\PCTTRecorder\obj\Debug\mssched.pdb source: mssched.exe, 00000004.00000000.2091397832.000001FC13C72000.00000002.00000001.01000000.00000008.sdmp, mssched.exe.0.dr
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Core\obj\AWSSDK.Core.Net35\Release\net35\AWSSDK.Core.pdb source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmp, AWSSDK.Core.dll.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: mssched.exe, 00000004.00000002.3325444659.000001FC2FAB2000.00000002.00000001.01000000.0000000E.sdmp, Newtonsoft.Json.dll.0.dr
Source: Binary string: 35\Release\net35\AWSSDK.Core.pdbSHA256 source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092551285.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: C:\Users\bryan\source\repos\KillProcPCTT\KillProcPCTT\obj\Debug\KillProcPCTT.pdb source: KillProcPCTT.exe, 00000002.00000000.2071056452.00000000003C2000.00000002.00000001.01000000.00000004.sdmp, KillProcPCTT.exe.0.dr
Source: Binary string: .pdb source: AWSSDK.S3.dll.0.dr
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\S3\obj\AWSSDK.S3.Net35\Release\net35\AWSSDK.S3.pdb source: AWSSDK.S3.dll.0.dr
Source: Binary string: C:\Users\norritb\Documents\git\NsisDotNetChecker\plugin\Release\DotNetChecker.pdb source: DotNetChecker.dll.0.dr
Binary contains a suspicious time stamp
Source: KillProcPCTT.exe.0.dr Static PE information: 0x8FC92EDE [Mon Jun 11 10:43:42 2046 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Code function: 4_2_00007FF848E75976 push edi; retf 4_2_00007FF848E759D6
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Code function: 4_2_00007FF848E700BD pushad ; iretd 4_2_00007FF848E700C1
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Code function: 4_2_00007FF848E72021 push ebx; iretd 4_2_00007FF848E7203A
Source: mssched.exe.0.dr Static PE information: section name: .text entropy: 7.467575341224463
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\AWSSDK.S3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\jusched32.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\AWSSDK.Core.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe File created: C:\Users\user\AppData\Local\Temp\nsl5176.tmp\DotNetChecker.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run scheduler Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run scheduler Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Memory allocated: 2500000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Memory allocated: 26E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Memory allocated: 2520000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Memory allocated: 1FC13FB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Memory allocated: 1FC2D940000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Memory allocated: 125CA9E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Memory allocated: 125E43A0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\AWSSDK.S3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\jusched32.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\AWSSDK.Core.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl5176.tmp\DotNetChecker.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe TID: 7104 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe TID: 6980 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Code function: 0_2_00406873 FindFirstFileW,FindClose, 0_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.16359.15944.exe, 00000000.00000002.2092806026.000000000060F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe Queries volume information: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\KillProcPCTT.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Queries volume information: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Queries volume information: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\Newtonsoft.Json.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Queries volume information: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.16359.15944.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Adds / modifies Windows certificates
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\scheduler\mssched.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542662 Sample: SecuriteInfo.com.FileRepMal... Startdate: 26/10/2024 Architecture: WINDOWS Score: 45 26 Multi AV Scanner detection for dropped file 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Contains functionality to log keystrokes (.Net Source) 2->30 7 SecuriteInfo.com.FileRepMalware.16359.15944.exe 2 21 2->7         started        10 mssched.exe 3 2->10         started        process3 file4 18 C:\Users\user\AppData\...\DotNetChecker.dll, PE32 7->18 dropped 20 C:\Program Files (x86)\...\mssched.exe, PE32 7->20 dropped 22 C:\Program Files (x86)\...\jusched32.exe, PE32 7->22 dropped 24 4 other files (none is malicious) 7->24 dropped 12 KillProcPCTT.exe 2 7->12         started        14 mssched.exe 10 7->14         started        process5 process6 16 conhost.exe 12->16         started       
No contacted IP infos