Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
Analysis ID: 1546652
MD5: 250d2a344e15b3c55fd1d59afcf0b1da
SHA1: 1be4fbfb1b39e225fb1b82e73aaa609c734cb8a5
SHA256: 2852cbcdd8ae60e9761f3cd78aaeb84a7c038e1b692800af33003d04d0b7594b
Tags: exe
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Avira: detected
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Desktop\cabal.exe ReversingLabs: Detection: 70%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe ReversingLabs: Detection: 71%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.2% probability
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\cabal.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\MMOParadox Expansion Launcher\update\obj\Release\update.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
Source: Binary string: D:\MMOParadox Expansion Launcher\cabal\obj\Release\cabal.pdb source: cabal.exe.0.dr
Source: Binary string: D:\MMOParadox Expansion Launcher\update\obj\Release\update.pdb@ source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
Source: Binary string: D:\MMOParadox Expansion Launcher\cabal\obj\Release\cabal.pdb4Z source: cabal.exe.0.dr
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 01 Nov 2024 10:27:01 GMTServer: Apache/2.4.62 (Debian)Last-Modified: Mon, 21 Oct 2024 10:59:32 GMTETag: "19200-624fa8c262d00"Accept-Ranges: bytesContent-Length: 102912Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 14 34 16 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 3c 01 00 00 54 00 00 00 00 00 00 5e 5a 01 00 00 20 00 00 00 60 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 0c 5a 01 00 4f 00 00 00 00 60 01 00 d4 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 01 00 0c 00 00 00 d4 58 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 3a 01 00 00 20 00 00 00 3c 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d4 51 00 00 00 60 01 00 00 52 00 00 00 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 01 00 00 02 00 00 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 5a 01 00 00 00 00 00 48 00 00 00 02 00 05 00 78 3c 00 00 ac 4b 00 00 03 00 00 00 0a 00 00 06 24 88 00 00 b0 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 03 00 45 00 00 00 00 00 00 00 28 06 00 00 06 28 05 00 00 06 28 1b 00 00 0a 02 fe 06 07 00 00 06 73 1c 00 00 0a 6f 1d 00 00 0a 28 01 00 00 06 26 7e 01 00 00 04 28 1e 00 00 0a 16 9a 6f 1f 00 00 0a 80 01 00 00 04 de 06 73 7c 00 00 06 7a 2a 00 00 00 01 10 00 00 00 00 20 00 1e 3e 00 06 13 00 00 01 06 2a 46 04 6f 20 00 00 0a 74 13 00 00 01 73 7c 00 00 06 7a 13 30 03 00 5c 00 00 00 01 00 00 11 02 28 21 00 00 0a 2c 4e 02 19 17 73 22 00 00 0a 0a 73 23 00 00 0a 06 6f 24 00 00 0a 0b 06 6f 25 00 00 0a 73 26 00 00 0a 0c 16 0d 2b 1c 08 07 09 8f 58 00 00 01 72 01 00 00 70 28 27 00 00 0a 6f 28 00 00 0a 26 09 17 58 0d 09 07 8e 69 32 de 08 6f 1f 00 00 0a 2a 72 07 00 00 70 2a 4a 02 72 09 00 00 70 18 73 29 00 00 0a 28 2a 00 00 0a 2a 4a 73 0b 00 00 06 25 6f 09 00 00 06 6f 2b 00 00 0a 26 2a 1e 02 28 2c 00 00 0a 2a 2e 72 29 00 00 70 80 01 00 00 04 2a 00 00 13 30 03 00 8d 00 00 00 00 00 00 00 02 73 21 00 00 06 7d 04 00 00 04 02 73 2d 00 00 0a 7d 08 00 00 04 02 28 2e 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /update//resources.xml HTTP/1.1Host: 217.15.164.94Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /update/client/cabal.exe HTTP/1.1Host: 217.15.164.94
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 217.15.164.94:80
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:49711
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49918
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024%2006:26:57 HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 217.15.164.94Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: unknown TCP traffic detected without corresponding DNS query: 217.15.164.94
Source: global traffic HTTP traffic detected: GET /update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024%2006:26:57 HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 217.15.164.94Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /update//resources.xml HTTP/1.1Host: 217.15.164.94Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /update/client/cabal.exe HTTP/1.1Host: 217.15.164.94
Source: global traffic DNS traffic detected: DNS query: s4.gtsystems.hu
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 10:27:00 GMTServer: Apache/2.4.62 (Debian)Content-Length: 275Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 32 31 37 2e 31 35 2e 31 36 34 2e 39 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at 217.15.164.94 Port 80</address></body></html>
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.00000000035E7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.000000000339E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.000000000356C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://217.15.164.94
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, cabal.exe.0.dr String found in binary or memory: http://217.15.164.94/update/
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.000000000356C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://217.15.164.94/update//resources.xml
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3297785606.0000000006E5D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3304723175.000000000E9D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://217.15.164.94/update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3297785606.0000000006E19000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3291476331.0000000001493000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3297785606.0000000006E5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://217.15.164.94/update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024%2006:26:57
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3291476331.0000000001493000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://217.15.164.94/update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024%2006:26:57652bf5c30805da9
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3297785606.0000000006E5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://217.15.164.94/update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024%2006:26:57Sl.R
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3296482121.00000000065B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://217.15.164.94/update//web/kmnkNIANBDUIbudbnIA.phpt=01/11/2024
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://217.15.164.94/update/client/cabal.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.00000000035E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://217.15.164.94/update/client/cabal.exeP
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.000000000356C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://217.15.168
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/classes/webbrowseroverlaywf/webbrowseroverlay.xaml
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/update;component/classes/webbrowseroverlaywf/webbrowseroverlay.xamld
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3299553534.0000000008602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.comQ
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/classes/webbrowseroverlaywf/webbrowseroverlay.baml
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/classes/webbrowseroverlaywf/webbrowseroverlay.bamld
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/classes/webbrowseroverlaywf/webbrowseroverlay.xaml
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003463000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/classes/webbrowseroverlaywf/webbrowseroverlay.xamld
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003404000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.00000000035CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.000000000339E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.000000000356C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003404000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.0000000003698000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3296051712.0000000005E8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ww.micro
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3297785606.0000000006E19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Code function: 0_2_0329D390 0_2_0329D390
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3291476331.000000000145E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000000.2025535730.0000000001032000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameupdate.exe: vs SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3292629514.00000000036D6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamecabal.exeB vs SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Binary or memory string: OriginalFilenameupdate.exe: vs SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal76.winEXE@1/13@1/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe File created: C:\Users\user\Desktop\main.dat Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Mutant created: NULL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe File created: C:\Users\user\AppData\Local\Temp\resources.xml Jump to behavior
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe ReversingLabs: Detection: 71%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: windowscodecsext.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: icm32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: msctfui.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: d3dcompiler_47.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Static file information: File size 7486464 > 1048576
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x71e600
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\MMOParadox Expansion Launcher\update\obj\Release\update.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
Source: Binary string: D:\MMOParadox Expansion Launcher\cabal\obj\Release\cabal.pdb source: cabal.exe.0.dr
Source: Binary string: D:\MMOParadox Expansion Launcher\update\obj\Release\update.pdb@ source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe
Source: Binary string: D:\MMOParadox Expansion Launcher\cabal\obj\Release\cabal.pdb4Z source: cabal.exe.0.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Code function: 0_2_0329127F pushfd ; iretd 0_2_032912B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Code function: 0_2_032912BA pushfd ; iretd 0_2_032912B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Code function: 0_2_032932C2 pushad ; iretd 0_2_032932D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Code function: 0_2_032932D2 pushfd ; iretd 0_2_03293301
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Code function: 0_2_0329B0C1 push eax; retf 0_2_0329B0CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Code function: 0_2_0329378A push esp; retf 0_2_03293799
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Code function: 0_2_0329379A push esp; retf 0_2_03293799
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe File created: C:\Users\user\Desktop\cabal.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Memory allocated: 3250000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Memory allocated: 32F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Memory allocated: 52F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Memory allocated: D620000 memory reserve | memory write watch Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Window / User API: threadDelayed 2833 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Window / User API: threadDelayed 810 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Dropped PE file which has not been started: C:\Users\user\Desktop\cabal.exe Jump to dropped file
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3297785606.0000000006E5D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW)\
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3297785606.0000000006E5D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe, 00000000.00000002.3291476331.0000000001493000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546652 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 01/11/2024 Architecture: WINDOWS Score: 76 12 shadowman.dnse.hu 2->12 14 s4.gtsystems.hu 2->14 18 Antivirus / Scanner detection for submitted sample 2->18 20 Multi AV Scanner detection for dropped file 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 3 other signatures 2->24 6 SecuriteInfo.com.Win32.MalwareX-gen.26437.13829.exe 15 31 2->6         started        signatures3 process4 dnsIp5 16 217.15.164.94, 49704, 49706, 80 ROSTELECOM-ASRU European Union 6->16 10 C:\Users\user\Desktop\cabal.exe, PE32 6->10 dropped file6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
217.15.164.94
 unknown European Union
12389 ROSTELECOM-ASRU false

Contacted Domains

Name IP Active
shadowman.dnse.hu 185.6.188.137 true
s4.gtsystems.hu unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://217.15.164.94/update//web/kmnkNIANBDUIbudbnIA.php?t=01/11/2024%2006:26:57 false
    		unknown
    http://217.15.164.94/update//resources.xml false
      		unknown