Windows Analysis Report
SecuriteInfo.com.FileRepMalware.3248.17662.exe

Overview

General Information

Sample name: SecuriteInfo.com.FileRepMalware.3248.17662.exe
Analysis ID: 1545677
MD5: 485927fe0c19012f31f1ef565254b374
SHA1: af67270688bdaca5c92425ce644f248703f80e41
SHA256: 11d025152433189799f82de6b428f5ceb8ddb47573a38d51c267d48b891d498e
Tags: exe
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Downloads files with wrong headers with respect to MIME Content-Type
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Avira: detection malicious, Label: HEUR/AGEN.1323683
Source: C:\Users\user\AppData\Local\cvchost.exe Avira: detection malicious, Label: HEUR/AGEN.1323683
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\cvchost.exe ReversingLabs: Detection: 28%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.5% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\cvchost.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D30EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA, 0_2_00007FF71D1D30EC
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb0#x source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000B98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdbZ source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: eulUtil.pdbl source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000B98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000B98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: HP<o8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.3353785909.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: wextract.pdb source: SecuriteInfo.com.FileRepMalware.3248.17662.exe
Source: Binary string: wextract.pdbGCTL source: SecuriteInfo.com.FileRepMalware.3248.17662.exe
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004D0E000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004C25000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2524102736.000000000382C000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2536372238.0000000006150000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ((.pdb source: InstallUtil.exe, 00000006.00000002.3353785909.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004D0E000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004C25000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2524102736.000000000382C000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2536372238.0000000006150000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.3353785909.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004645000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2538830315.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbpv source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004645000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2538830315.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbe source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdbc source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000B98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000006.00000002.3360530165.00000000052F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000B98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb.NETFrameworkv4.0.30319InstallUtil.exe source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000C37000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb} source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb' source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbS source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBp& source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000B98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @Ho.pdb source: InstallUtil.exe, 00000006.00000002.3353785909.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.3353785909.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbps source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000B98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ?HoC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.3353785909.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00007FF71D1D204C

Networking
barindex
Downloads files with wrong headers with respect to MIME Content-Type
Source: http Bad PDF prefix: HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 19:19:01 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 25 Oct 2024 15:28:31 GMT ETag: "14dc08-6254ec57945c0" Accept-Ranges: bytes Content-Length: 1367048 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: a7 0a 18 02 b5 c3 96 d3 38 cf a1 58 89 4c 2b 78 3a a9 71 82 bc 15 61 17 45 18 df 31 b7 25 78 0c bf d9 cf 89 24 8f 86 02 ad fb 88 be 64 d0 0e a4 a4 8c ba 76 b4 de 75 91 eb 1a 7e 4b dc f1 46 70 0b b6 ba 7d f7 3f a8 a0 49 fc 49 e8 1a 7a 12 af 34 66 75 a6 62 be e2 00 d1 ff e6 db 15 7e b8 8f b9 09 ae 03 15 65 8f d2 0a a4 89 21 54 86 76 dd a1 f8 a1 16 63 cb 74 e9 4d 45 f4 b7 d9 e9 4a de 15 e3 b7 59 f4 9f 2c 1b 41 13 4e 6b d3 93 a2 32 f4 74 5a a8 ea 56 61 89 a4 a6 24 08 97 b5 a5 6c 68 30 cf 89 15 c2 86 7c f8 3e 24 eb 0d e6 ca 5e 06 26 09 6b 8b 73 08 94 4e 5b 03 9f 6c a3 24 1c 6b d2 d1 7c 49 28 98 23 43 2e 56 df 0b b8 6e d6 28 9d 18 15 f5 4b b0 c3 71 1f 29 d6 3c 6a 78 50 05 1a 93 20 67 f6 28 ff f4 d8 90 dc 34 e4 6a 33 94 83 5e 01 bc 61 74 ba b3 b3 2c 21 36 70 a4 84 23 c7 6c d9 ae be ec 0e 55 f6 f0 ea 3f 15 56 16 9b d1 3e b3 a4 e3 e4 7d f4 d5 57 7b 69 d7 2f df b3 8e 60 e9 09 0c 52 ea 44 2e f4 43 d4 fe ff ce d5 a8 0d 13 75 7f 33 47 47 e7 29 f9 a6 d5 23 ba b4 34 6b 16 ac 0a 93 f9 1d fc 23 09 f2 bf 5b 19 2a db 23 c2 43 a5 53 e7 78 59 70 c0 7f ee 84 e3 19 79 89 35 92 c1 b0 8d 13 9d e7 19 3b 3d cf b9 d0 cf 20 ec d4 f8 67 85 ef 5d fb ea ef 44 e0 42 7d 04 65 15 de e8 3c 0d 98 39 9e aa 7a b3 a9 5d ec be 0f c0 61 35 72 b3 a9 98 89 ef 30 84 d9 33 2a d2 59 1f ad ff 62 b2 b9 65 32 c1 54 38 f7 39 c3 42 0a 0f 99 5c 42 3c bb a7 89 1e da 6c 12 df 8b 25 68 f5 ed f9 7f 5e 58 c0 3c 5d ba 13 22 63 9d 0c 79 fe e8 24 db 4f 10 71 70 20 af 29 8d 95 ea 12 85 af 81 fb 50 9e f4 ad 59 25 b0 33 99 39 8b 6b fb 13 57 b4 f6 37 0d 1b c8 07 05 71 6e 6a 8b 94 f2 3f 01 68 c3 07 c5 cd f6 3c 69 e2 d9 e2 09 e0 9f 11 0d f7 6c 56 91 78 78 d0 1e 9f bd 2f cf fe fc af 67 ca e4 4a b8 fe 76 2c 54 3f 72 d7 19 fc 81 2b 53 ec a2 96 ba 3e 9c 3f 5e d3 a3 45 e1 c5 10 29 4a 0e dd 14 3a 3d b2 b0 de bd bb 47 37 e6 77 5f 66 b3 b4 01 bd 81 38 c4 84 9d f4 8d 18 f9 33 68 ce 7a 25 8e e6 1f 2a 39 c9 ae 03 de ea 08 29 10 72 c2 99 41 f2 54 cd bf bb 35 63 a1 87 c2 60 ab 2f ad d3 c8 43 35 ed 53 61 27 44 fe 5f 08 92 47 2f 26 e0 09 c6 17 96 18 b3 f8 e8 39 de 3d bd 76 34 bd f6 3e a8 48 41 5a ae d0 1d 2c ab 6b 8a a5 ac a8 06 68 0e 52 09 43 0b 38 75 8d 1f 6a 46 e2 3c 45 8a 3b 44 93 d9 de 7f f4 a2 08 ec 8b 9d 2c d8 fc 1e 38 09 e1 fa 3a 56 f7 91 df 05 2c f8 1d a3 16 29 ff c3 e3 2d 31 7d d2 ef d4 bf b5 09 a9 14 60 cb 69 65 d4 f8 3c 98 f3 c5 48 39 ea 20 54 7c ed c9 46 93 26 b1 c2 43 46 89 26 44 29 7c b8 90 44 b5 d3 1f 2e e1 ab a0 cb 44 9b da 1d f7 da c2 ca 04 a6 74 e1 20 3c 95 dc db bd 55 7c c3 7c 4b 2e 6c 24 ea 21 33 8b a7 19 e4 d6 de 08 dd a8 12 6a 48 7c 30 b1 f6 c5 51 5f ce 37 c1 84 ad d2 7c d5 14 d9 18 fc 75 41 46 8f 44 9b 6c a6 2e 35 2a 99 42 94 f8 a8 f1 99 6a 0c 00 61 aa 62 0a a4 01 26 10 dd 44 b4 e9 65 14 4b 8c 19 f5 8d 1a bd 34 e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /spool01/Rhxkjsv.pdf HTTP/1.1Host: 46.8.237.66Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: unknown TCP traffic detected without corresponding DNS query: 46.8.237.66
Source: global traffic HTTP traffic detected: GET /spool01/Rhxkjsv.pdf HTTP/1.1Host: 46.8.237.66Connection: Keep-Alive
Source: seniorcommunicate.exe, 00000001.00000002.2524102736.00000000032D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://46.8.237.66
Source: seniorcommunicate.exe, 00000001.00000002.2524102736.00000000032D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://46.8.237.66/spool01/Rhxkjsv.pdf
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe, 00000000.00000003.2106622974.000001B8E6C12000.00000004.00000020.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000000.2106899462.0000000000FB2000.00000002.00000001.01000000.00000004.sdmp, seniorcommunicate.exe, 00000001.00000002.2536908495.0000000006B0E000.00000004.00000020.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2524102736.000000000382C000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe.0.dr, cvchost.exe.1.dr String found in binary or memory: http://46.8.237.66/spool01/Rhxkjsv.pdfV
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe, 00000000.00000003.2106705295.000001B8E4E17000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.3248.17662.exe, 00000000.00000003.2106622974.000001B8E6C12000.00000004.00000020.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2536908495.0000000006B0E000.00000004.00000020.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2524102736.000000000382C000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe.0.dr, cvchost.exe.1.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe, 00000000.00000003.2106705295.000001B8E4E17000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.3248.17662.exe, 00000000.00000003.2106622974.000001B8E6C12000.00000004.00000020.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2536908495.0000000006B0E000.00000004.00000020.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2524102736.000000000382C000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe.0.dr, cvchost.exe.1.dr String found in binary or memory: http://ocsp.thawte.com0
Source: seniorcommunicate.exe, 00000001.00000002.2524102736.00000000032D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe, 00000000.00000003.2106705295.000001B8E4E17000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.3248.17662.exe, 00000000.00000003.2106622974.000001B8E6C12000.00000004.00000020.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2536908495.0000000006B0E000.00000004.00000020.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2524102736.000000000382C000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe.0.dr, cvchost.exe.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe, 00000000.00000003.2106705295.000001B8E4E17000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.3248.17662.exe, 00000000.00000003.2106622974.000001B8E6C12000.00000004.00000020.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2536908495.0000000006B0E000.00000004.00000020.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2524102736.000000000382C000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe.0.dr, cvchost.exe.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe, 00000000.00000003.2106705295.000001B8E4E17000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.3248.17662.exe, 00000000.00000003.2106622974.000001B8E6C12000.00000004.00000020.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2536908495.0000000006B0E000.00000004.00000020.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2524102736.000000000382C000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe.0.dr, cvchost.exe.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004645000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2538830315.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004645000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2538830315.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004645000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2538830315.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004645000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2538830315.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004645000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2538830315.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2524102736.0000000003363000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004645000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2538830315.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D2C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle, 0_2_00007FF71D1D2C54
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D1C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx, 0_2_00007FF71D1D1C0C
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D1D28 0_2_00007FF71D1D1D28
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D5D90 0_2_00007FF71D1D5D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D66C4 0_2_00007FF71D1D66C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D40C4 0_2_00007FF71D1D40C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D6CA4 0_2_00007FF71D1D6CA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D2DB4 0_2_00007FF71D1D2DB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D3530 0_2_00007FF71D1D3530
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D1C0C 0_2_00007FF71D1D1C0C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_0194E0E8 1_2_0194E0E8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_01941A83 1_2_01941A83
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_0194A930 1_2_0194A930
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_0194A921 1_2_0194A921
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_0194A841 1_2_0194A841
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_01941A83 1_2_01941A83
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_01949E90 1_2_01949E90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_01949EA0 1_2_01949EA0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_061B3740 1_2_061B3740
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_061B0592 1_2_061B0592
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_061B68D0 1_2_061B68D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_061B3731 1_2_061B3731
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_061B0448 1_2_061B0448
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_061BABBF 1_2_061BABBF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_0794F1E8 1_2_0794F1E8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_0794E560 1_2_0794E560
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_07930006 1_2_07930006
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_07930040 1_2_07930040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00B43088 6_2_00B43088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00B47590 6_2_00B47590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00B448E0 6_2_00B448E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00B448D1 6_2_00B448D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00B4307A 6_2_00B4307A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00B4758E 6_2_00B4758E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_051F6360 6_2_051F6360
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1172
PE file contains executable resources (Code or Archives)
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 36778 bytes, 1 file, at 0x2c +A "seniorcommunicate.exe", ID 2197, number 1, 2 datablocks, 0x1503 compression
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Binary or memory string: OriginalFilename vs SecuriteInfo.com.FileRepMalware.3248.17662.exe
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe, 00000000.00000003.2106705295.000001B8E4E17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameseniorcommunicate.exe" vs SecuriteInfo.com.FileRepMalware.3248.17662.exe
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe, 00000000.00000000.2106170825.00007FF71D1DE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs SecuriteInfo.com.FileRepMalware.3248.17662.exe
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe, 00000000.00000003.2106622974.000001B8E6C12000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameseniorcommunicate.exe" vs SecuriteInfo.com.FileRepMalware.3248.17662.exe
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs SecuriteInfo.com.FileRepMalware.3248.17662.exe
Source: seniorcommunicate.exe.0.dr, OrderComposerExporter.cs Cryptographic APIs: 'CreateDecryptor'
Source: cvchost.exe.1.dr, OrderComposerExporter.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.seniorcommunicate.exe.48105e8.7.raw.unpack, YSPvguVwPoZuGH59OUX.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.seniorcommunicate.exe.48105e8.7.raw.unpack, YSPvguVwPoZuGH59OUX.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.seniorcommunicate.exe.48105e8.7.raw.unpack, YSPvguVwPoZuGH59OUX.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.seniorcommunicate.exe.48105e8.7.raw.unpack, YSPvguVwPoZuGH59OUX.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.seniorcommunicate.exe.4587ca0.6.raw.unpack, rjm77BLgSlS4gfsq4b.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.seniorcommunicate.exe.4587ca0.6.raw.unpack, lVPThIaqfiNX7UqKFF.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.seniorcommunicate.exe.4587ca0.6.raw.unpack, lVPThIaqfiNX7UqKFF.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.seniorcommunicate.exe.4587ca0.6.raw.unpack, eEMbGORUaTTyJOqnkhL.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.seniorcommunicate.exe.4587ca0.6.raw.unpack, eEMbGORUaTTyJOqnkhL.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.seniorcommunicate.exe.6150000.10.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 1.2.seniorcommunicate.exe.6150000.10.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 1.2.seniorcommunicate.exe.6150000.10.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 1.2.seniorcommunicate.exe.6150000.10.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 1.2.seniorcommunicate.exe.4cbe598.2.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 1.2.seniorcommunicate.exe.4cbe598.2.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 1.2.seniorcommunicate.exe.4cbe598.2.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 1.2.seniorcommunicate.exe.6150000.10.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 1.2.seniorcommunicate.exe.6150000.10.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 1.2.seniorcommunicate.exe.6150000.10.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 1.2.seniorcommunicate.exe.4cbe598.2.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 1.2.seniorcommunicate.exe.6150000.10.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.seniorcommunicate.exe.4cbe598.2.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 1.2.seniorcommunicate.exe.4cbe598.2.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.seniorcommunicate.exe.4cbe598.2.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 1.2.seniorcommunicate.exe.4cbe598.2.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 1.2.seniorcommunicate.exe.6150000.10.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 1.2.seniorcommunicate.exe.6150000.10.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: classification engine Classification label: mal100.expl.evad.winEXE@7/3@0/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D473C CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA, 0_2_00007FF71D1D473C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D1C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx, 0_2_00007FF71D1D1C0C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D66C4 LocalAlloc,LocalFree,lstrcmpA,LocalFree,GetTempPathA,GetDriveTypeA,GetFileAttributesA,GetDiskFreeSpaceA,MulDiv,GetWindowsDirectoryA,GetFileAttributesA,CreateDirectoryA,SetFileAttributesA,GetWindowsDirectoryA, 0_2_00007FF71D1D66C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D5D90 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA, 0_2_00007FF71D1D5D90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvchost.vbs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4620:64:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe ReversingLabs: Detection: 47%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe
Source: unknown Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 1172
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Section loaded: advpack.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb0#x source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000B98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdbZ source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: eulUtil.pdbl source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000B98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000B98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: HP<o8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.3353785909.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: wextract.pdb source: SecuriteInfo.com.FileRepMalware.3248.17662.exe
Source: Binary string: wextract.pdbGCTL source: SecuriteInfo.com.FileRepMalware.3248.17662.exe
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004D0E000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004C25000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2524102736.000000000382C000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2536372238.0000000006150000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ((.pdb source: InstallUtil.exe, 00000006.00000002.3353785909.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004D0E000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004C25000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2524102736.000000000382C000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2536372238.0000000006150000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.3353785909.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004645000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2538830315.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbpv source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004645000.00000004.00000800.00020000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2538830315.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, seniorcommunicate.exe, 00000001.00000002.2531478782.0000000004BD7000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbe source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdbc source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000B98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000006.00000002.3360530165.00000000052F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000B98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb.NETFrameworkv4.0.30319InstallUtil.exe source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000C37000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb} source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb' source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbS source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBp& source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000B98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @Ho.pdb source: InstallUtil.exe, 00000006.00000002.3353785909.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.3353785909.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbps source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000B98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.3354251863.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ?HoC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000006.00000002.3353785909.0000000000968000.00000004.00000010.00020000.00000000.sdmp
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 1.2.seniorcommunicate.exe.48105e8.7.raw.unpack, YSPvguVwPoZuGH59OUX.cs .Net Code: Type.GetTypeFromHandle(QJNfCFtP437ujS306F5.hiY14dNiNh(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(QJNfCFtP437ujS306F5.hiY14dNiNh(16777252)),Type.GetTypeFromHandle(QJNfCFtP437ujS306F5.hiY14dNiNh(16777284))})
Source: 1.2.seniorcommunicate.exe.4587ca0.6.raw.unpack, eEMbGORUaTTyJOqnkhL.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: seniorcommunicate.exe.0.dr, ReaderDatabaseFilter.cs .Net Code: FindTokenizer System.Reflection.Assembly.Load(byte[])
Source: cvchost.exe.1.dr, ReaderDatabaseFilter.cs .Net Code: FindTokenizer System.Reflection.Assembly.Load(byte[])
Source: 1.2.seniorcommunicate.exe.6ee0000.12.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 1.2.seniorcommunicate.exe.6ee0000.12.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 1.2.seniorcommunicate.exe.6ee0000.12.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 1.2.seniorcommunicate.exe.6ee0000.12.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 1.2.seniorcommunicate.exe.6ee0000.12.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 1.2.seniorcommunicate.exe.4587ca0.6.raw.unpack, rjm77BLgSlS4gfsq4b.cs .Net Code: JvjkJaQCYv0LSdAlKTW System.AppDomain.Load(byte[])
Source: 1.2.seniorcommunicate.exe.6150000.10.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 1.2.seniorcommunicate.exe.6150000.10.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 1.2.seniorcommunicate.exe.6150000.10.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 1.2.seniorcommunicate.exe.4bd7ba8.3.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 1.2.seniorcommunicate.exe.4bd7ba8.3.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 1.2.seniorcommunicate.exe.4bd7ba8.3.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 1.2.seniorcommunicate.exe.4bd7ba8.3.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 1.2.seniorcommunicate.exe.4bd7ba8.3.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 1.2.seniorcommunicate.exe.4cbe598.2.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 1.2.seniorcommunicate.exe.4cbe598.2.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 1.2.seniorcommunicate.exe.4cbe598.2.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 1.2.seniorcommunicate.exe.6fb0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.seniorcommunicate.exe.4a9df48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.seniorcommunicate.exe.48105e8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2539050952.0000000006FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2524102736.0000000003363000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2531478782.0000000004645000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: seniorcommunicate.exe PID: 6752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3796, type: MEMORYSTR
Binary contains a suspicious time stamp
Source: SecuriteInfo.com.FileRepMalware.3248.17662.exe Static PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D1D28 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree, 0_2_00007FF71D1D1D28
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Code function: 1_2_0793616F push ebp; iretd 1_2_07936170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00B426D5 push cs; retf 6_2_00B426DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_051F350F pushad ; retf 6_2_051F3510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_051F3177 push cs; iretd 6_2_051F317A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_051F3D6F push ss; ret 6_2_051F3D72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_051F081A push BFFFFFF8h; retf 0000h 6_2_051F0824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_051F07C6 push edx; retf 6_2_051F07D4
Source: 1.2.seniorcommunicate.exe.48105e8.7.raw.unpack, jy2mWCZnI5vwjv8QrFU.cs High entropy of concatenated method names: 'OmZZOneVVd', 'nK6Z9j48bC', 'ePsZ46K7mT', 'UsSZYNpIAH', 'TO7Zeu420t', 'mV4ZUCrCAf', 'GuTZuLqtZ5', 'aywZ0fvYxx', 'JFPZklxUBM', 'IhJZ73P67O'
Source: 1.2.seniorcommunicate.exe.48105e8.7.raw.unpack, AssemblyLoader.cs High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'gbPy6AgqfFLsPNioGdC'
Source: 1.2.seniorcommunicate.exe.48105e8.7.raw.unpack, q6VvtRGP7t4wqeILix1.cs High entropy of concatenated method names: 'TmEGD92LuW', 'diOGHlM7y6', 'hJqGwmSTIQ', 'oyMGdBYKKp', 'X4RGIK7NhV', 'w5ayf7dL6HTZcRRWKnb', 'jnHfnNdYWmpjK0gqJLT', 'UMIN3lde6ZxoX0JVG15', 'OtRVDNdUG7OJu6bP5ec', 'R74fEcduYp2LAQQg2a6'
Source: 1.2.seniorcommunicate.exe.48105e8.7.raw.unpack, FDsVfXVeHoYlGhgf0FK.cs High entropy of concatenated method names: 'hlCVuYBguG', 'uboV01jsDq', 'vC1nqQTwcre5f9aoCSC', 't7n7hOTdlBwGUy9twMW', 'VJIjkoTIajx0ZOLTgNW', 'bIYth1TT3O1ggxZnpe9', 'umn8L1Tg4crah4YhEO0', 'legFRjTmXrGhRgQ8NlB', 'wXrHULTvnqboyFdNYOc', 'bA5rYMTpYWS0XDyhr09'
Source: 1.2.seniorcommunicate.exe.48105e8.7.raw.unpack, SE8nFDtdDofHflqtUYD.cs High entropy of concatenated method names: 'lWptsYiAcm', 'TOktSBGxPG', 'Vo5tfxc1El', 'DEFtFSfPSA', 'RnRt8cOCUL', 'OXQtW9AVKB', 'UDAtXCwA0V', 'IFgtBO6GHc', 'wWdtC52Hyh', 'XwxtbTQ21d'
Source: 1.2.seniorcommunicate.exe.48105e8.7.raw.unpack, QJNfCFtP437ujS306F5.cs High entropy of concatenated method names: 'hiY14dNiNh', 'rTS1LsftI5', 'T7wyahmLtIWhbxxQ4JM', 'MkmbMamYQDTCehhaLot', 'FYniXWmeFEQW71U4hlh', 'v253lhmUI4Yxcsa6bEp', 'g837BbmuPn9ukT6Afd1', 'Hnt2Dym0BIEZU5TJqtV'
Source: 1.2.seniorcommunicate.exe.48105e8.7.raw.unpack, mGJBCYtzHu6W7XgA2oQ.cs High entropy of concatenated method names: 'YByUr9LA4s', 'f6GUNDHeQU', 'GKCURcVXNH', 'jOAU62wmaq', 'fKMUKambQH', 'stUUQqPCDq', 'bByUEVTQUF', 'fuv9jjWqas', 'WL5U3ElJIs', 'SufUPfaNBd'
Source: 1.2.seniorcommunicate.exe.48105e8.7.raw.unpack, YSPvguVwPoZuGH59OUX.cs High entropy of concatenated method names: 'yUWAHhgAHkHV2l6NGoF', 'T9FJuDg5couh1kMSaKb', 'clYttBsqAd', 'H66yUXgsWsDI71Z8FZN', 'elLqZegScOhYW2vS2qs', 'wII13wgfjutPtwYcdfv', 'MO5kLpgFGqh0oIlAEA4', 'YF4Evrg8o462YBEphWm', 'XdofJjgWaLZFZYvCBXx', 'XldlCSgXDjPmVQSZPi0'
Source: 1.2.seniorcommunicate.exe.4587ca0.6.raw.unpack, rjm77BLgSlS4gfsq4b.cs High entropy of concatenated method names: 'crJq5byk6', 'dPLTJhQAY', 'wAbXx6Jm9', 'nJWbElMuk', 'Yq5ASBhXe', 'SHtOMM9H0', 'drF0wlVL2', 'gCdIqsfevJbWougkCJ5', 'XwITJ5fP65HI6IdsrVV', 'CipxiwfzNhb6ZWEkV48'
Source: 1.2.seniorcommunicate.exe.4587ca0.6.raw.unpack, N9fDDdoBjLZYFXgP1np.cs High entropy of concatenated method names: 'qnQozf540E', 'wa9fCEBTBJ', 'Rs4fGfxmc1', 'eC2fRgRtbP', 'IHffnv7H6b', 'TXifo9HfTi', 'U5lfftRQxo', 'kO3fQ8n8wg', 'X9EfEBKi8e', 'rjqf7eFeri'
Source: 1.2.seniorcommunicate.exe.4587ca0.6.raw.unpack, lVPThIaqfiNX7UqKFF.cs High entropy of concatenated method names: 'NcSRFn0JjC', 'ur5Ricsuf1', 'EBVyvW7SZmZ0WniwjyU', 'pvQYnx7tfocMs5ZxhhC', 'mKkJt07Yfc9kjM1Ho6o', 'Fqal8u73ZeNjSAA44uM', 'KZGodp7hm6aITlwJRYN', 'aLOR1RpLrA', 'uf0Rd6EtyF', 'InvKTe7k8eKEisGgJf0'
Source: 1.2.seniorcommunicate.exe.4587ca0.6.raw.unpack, eEMbGORUaTTyJOqnkhL.cs High entropy of concatenated method names: 'lOQx8Ec8phekNreOQyO', 'Ck3ibLcMBcOWabwqWf2', 'q8GouYikdw', 'nxNKBScsFwawOjU5inF', 'u876amcITsUM8oLJaTn', 'GWLQGlc2nOaVC5PZE7u', 'xyy4wMcxNjWx3LBsKkl', 'HgyE2Ececk9tuoKoj4Y', 'KuTRc3cPZntP8rorkkB', 'R1SKcRczJSdUIE3w0j8'
Source: 1.2.seniorcommunicate.exe.4587ca0.6.raw.unpack, Eu8dK5ihrKEXZHH1sc.cs High entropy of concatenated method names: 'eNkuQQyFu', 'lsl1MlhOM', 'rJJdYke5v', 'PMX5UL5Pi', 'S1KtQ9Q6MaUWOTTTGv5', 'VUGm0qQkDTvXjTMPiGE', 'R1mGFdQgMbV3ItawtnN', 'xtp9eIQvYFCpw78WYOI', 'CmWnD7QNjJhYqW79aLK', 'BCWmIaQ9ndUEIS45UKS'
Source: 1.2.seniorcommunicate.exe.4587ca0.6.raw.unpack, ful7MIR8qft3Twvnwvq.cs High entropy of concatenated method names: 'BSXwGZLLAA', 'XfHVqIcggxKn1JZBEk6', 'H7a4AAc9SLqVcqtLcVI', 'XoU4K3crqI0Fmu2gv4j', 'AtV1EccmekmXljUHME6', 'WhY5QacpIAe3oHrjV5b', 'nEy4pJc6UaMoB6LtqOC', 'ACTlIKck68mWSHK0EHg', 'D09U1ecDMdmPGihYxxe', 'QhUTVAcWKPcTZPBionr'
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe File created: C:\Users\user\AppData\Local\cvchost.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D1684 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 0_2_00007FF71D1D1684

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvchost.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvchost.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvchost.vbs Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: seniorcommunicate.exe PID: 6752, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: seniorcommunicate.exe, 00000001.00000002.2524102736.0000000003363000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Memory allocated: 1940000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Memory allocated: 32D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Memory allocated: 1980000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: B40000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 28C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 48C0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Window / User API: threadDelayed 6898 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Window / User API: threadDelayed 2663 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -35048813740048126s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4784 Thread sleep count: 6898 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4784 Thread sleep count: 2663 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -99641s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -99531s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -99422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -99313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -99188s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -99063s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -98944s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -98840s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -98729s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -98625s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -98459s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -98344s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -98213s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -98076s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -97968s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -97857s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -97750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -97640s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -97530s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -97422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -97313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -97188s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -97063s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -96952s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -96843s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -96733s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -96625s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -96515s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -96405s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -96296s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -96186s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -96077s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -95969s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -95857s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -95749s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -95638s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -95522s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -95196s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -95088s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -94966s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -94859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -94749s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 4396 Thread sleep time: -94640s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 6748 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe TID: 6748 Thread sleep time: -30969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00007FF71D1D204C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D64E4 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA, 0_2_00007FF71D1D64E4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 99641 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 99531 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 99422 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 99313 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 99188 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 99063 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 98944 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 98840 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 98729 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 98625 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 98459 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 98344 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 98213 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 98076 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 97968 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 97857 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 97750 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 97640 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 97530 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 97422 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 97313 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 97188 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 97063 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 96952 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 96843 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 96733 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 96625 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 96515 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 96405 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 96296 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 96186 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 96077 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 95969 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 95857 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 95749 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 95638 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 95522 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 95196 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 95088 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 94966 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 94859 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 94749 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Thread delayed: delay time: 94640 Jump to behavior
Source: seniorcommunicate.exe, 00000001.00000002.2524102736.0000000003363000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: seniorcommunicate.exe, 00000001.00000002.2524102736.0000000003363000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: seniorcommunicate.exe, 00000001.00000002.2522998831.0000000001515000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D1D28 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree, 0_2_00007FF71D1D1D28
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D8494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF71D1D8494
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D8790 SetUnhandledExceptionFilter, 0_2_00007FF71D1D8790
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D11CC LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary, 0_2_00007FF71D1D11CC
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D8964 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 0_2_00007FF71D1D8964
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.3248.17662.exe Code function: 0_2_00007FF71D1D2C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle, 0_2_00007FF71D1D2C54
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\seniorcommunicate.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545677 Sample: SecuriteInfo.com.FileRepMal... Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 30 Antivirus detection for dropped file 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for dropped file 2->34 36 10 other signatures 2->36 8 SecuriteInfo.com.FileRepMalware.3248.17662.exe 1 3 2->8         started        11 rundll32.exe 2->11         started        process3 file4 22 C:\Users\user\...\seniorcommunicate.exe, PE32 8->22 dropped 13 seniorcommunicate.exe 15 4 8->13         started        process5 dnsIp6 28 46.8.237.66, 49709, 80 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 13->28 24 C:\Users\user\AppData\Local\cvchost.exe, PE32 13->24 dropped 26 C:\Users\user\AppData\Roaming\...\cvchost.vbs, ASCII 13->26 dropped 38 Antivirus detection for dropped file 13->38 40 Multi AV Scanner detection for dropped file 13->40 42 Machine Learning detection for dropped file 13->42 44 2 other signatures 13->44 18 InstallUtil.exe 2 13->18         started        file7 signatures8 process9 process10 20 WerFault.exe 4 18->20         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
46.8.237.66
 unknown Russian Federation
28917 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://46.8.237.66/spool01/Rhxkjsv.pdf true
    		unknown