Windows Analysis Report
SecuriteInfo.com.FileRepMalware.20494.7181.exe

Overview

General Information

Sample name:	SecuriteInfo.com.FileRepMalware.20494.7181.exe
Analysis ID:	1416942
MD5:	af9764b5224f18db51d592d641caaf28
SHA1:	e65b9a26d541fb15f265be8caed159e365a3f6ae
SHA256:	95c7b62982bdcde9fe8cc12839a414a1aa2171103a133454e9de2e406f3a3012
Tags:	exe
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Xmrig cryptocurrency miner

Detected Stratum mining protocol

Drops PE files to the startup folder

Found direct / indirect Syscall (likely to bypass EDR)

Found strings related to Crypto-Mining

Hides threads from debuggers

Machine Learning detection for dropped file

PE file has nameless sections

Query firmware table information (likely to detect VMs)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\_MEI42562\Microsoft Edge.exe

Avira: detection malicious, Label: HEUR/AGEN.1324769

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\_MEI42562\Microsoft Edge.exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Local\Temp\_MEI42562\Microsoft Edge.exe	Virustotal: Detection: 57%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\_MEI42562\Runtime Broker.exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Temp\_MEI42562\Runtime Broker.exe	Virustotal: Detection: 53%	Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	ReversingLabs: Detection: 39%
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Virustotal: Detection: 54%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\_MEI42562\Runtime Broker.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\_MEI42562\Microsoft Edge.exe	Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2592398201.0000024D4EB4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2591628032.0000021D2DA25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2592396227.0000021D2E371000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2323317181.00000145BBDCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2322880889.00000145BB7F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2592396227.0000021D2E34D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2590937562.0000024D4CA75000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4764232973.000001859C368000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4762982805.000001859BEA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2323996765.00007FF612933000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2323317181.00000145BBDF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2592398201.0000024D4EB6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4763394405.000001859C0AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4763394405.000001859C0D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Microsoft Edge.exe PID: 6972, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsoft Edge.exe PID: 356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsoft Edge.exe PID: 5612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsoft Edge.exe PID: 2676, type: MEMORYSTR

Detected Stratum mining protocol

Source: global traffic	TCP traffic: 192.168.2.6:49716 -> 104.243.33.118:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"82taq2flvrsvsl9v9djldkvkimffniud1jaqjcu598weeb9xewn8rhag7uahxhd95uunrscehkqmqh487mcrnq8bnavon9d","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.6:49718 -> 104.243.33.118:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"82taq2flvrsvsl9v9djldkvkimffniud1jaqjcu598weeb9xewn8rhag7uahxhd95uunrscehkqmqh487mcrnq8bnavon9d","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.6:49722 -> 104.243.43.115:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"82taq2flvrsvsl9v9djldkvkimffniud1jaqjcu598weeb9xewn8rhag7uahxhd95uunrscehkqmqh487mcrnq8bnavon9d","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.6:49726 -> 199.247.27.41:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"13f1b8e03c22ff3cf3fc7edbeda44070ded304342c85a775ff9986886d0c4609","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"],"diff":65217,"height":3114822,"seed_hash":"1f3c89329b35b30bc9e1f8854f490150ea140f4edc32a365d1be8bdc49234482"}}.
Source: global traffic	TCP traffic: 192.168.2.6:49732 -> 178.128.242.134:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"13f1b8e03c22ff3cf3fc7edbeda44070ded304342c85a775ff9986886d0c4609","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"],"diff":65217,"height":3114822,"seed_hash":"1f3c89329b35b30bc9e1f8854f490150ea140f4edc32a365d1be8bdc49234482"}}.
Source: global traffic	TCP traffic: 192.168.2.6:49737 -> 178.128.242.134:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"13f1b8e03c22ff3cf3fc7edbeda44070ded304342c85a775ff9986886d0c4609","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"],"diff":50000,"height":3114822,"seed_hash":"1f3c89329b35b30bc9e1f8854f490150ea140f4edc32a365d1be8bdc49234482"}}.
Source: global traffic	TCP traffic: 192.168.2.6:49742 -> 178.128.242.134:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"13f1b8e03c22ff3cf3fc7edbeda44070ded304342c85a775ff9986886d0c4609","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"],"diff":50000,"height":3114823,"seed_hash":"1f3c89329b35b30bc9e1f8854f490150ea140f4edc32a365d1be8bdc49234482"}}.
Source: global traffic	TCP traffic: 192.168.2.6:49747 -> 178.128.242.134:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"13f1b8e03c22ff3cf3fc7edbeda44070ded304342c85a775ff9986886d0c4609","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"],"diff":50000,"height":3114823,"seed_hash":"1f3c89329b35b30bc9e1f8854f490150ea140f4edc32a365d1be8bdc49234482"}}.
Source: global traffic	TCP traffic: 192.168.2.6:49752 -> 199.247.27.41:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"13f1b8e03c22ff3cf3fc7edbeda44070ded304342c85a775ff9986886d0c4609","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"],"diff":50000,"height":3114823,"seed_hash":"1f3c89329b35b30bc9e1f8854f490150ea140f4edc32a365d1be8bdc49234482"}}.
Source: global traffic	TCP traffic: 192.168.2.6:49755 -> 104.243.43.115:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"82taq2flvrsvsl9v9djldkvkimffniud1jaqjcu598weeb9xewn8rhag7uahxhd95uunrscehkqmqh487mcrnq8bnavon9d","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.

Found strings related to Crypto-Mining

Source: Microsoft Edge.exe	String found in binary or memory: stratum+ssl://
Source: Microsoft Edge.exe	String found in binary or memory: cryptonight_v8
Source: Microsoft Edge.exe	String found in binary or memory: stratum+tcp://
Source: Microsoft Edge.exe	String found in binary or memory: -o, --url=URL URL of mining server
Source: Microsoft Edge.exe	String found in binary or memory: Usage: xmrig [OPTIONS] Network:
Source: Microsoft Edge.exe	String found in binary or memory: XMRig 6.21.1 built on Feb 25 2024 with GCC

Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: \Projects\ConsoleApp1\obj\Debug\RuntimeBroker.pdb source: Runtime Broker.exe, 00000008.00000002.4765666112.00007FF66D802000.00000020.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765581162.00007FF66D802000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: ucrtbase.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321747885.00007FFD94871000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2322033281.00007FFDA416D000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2322131790.00007FFDA4341000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2322131790.00007FFDA4341000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321893983.00007FFDA377C000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbNN source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321893983.00007FFDA377C000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321747885.00007FFD94871000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\python311.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2320065963.00007FFD94103000.00000002.00000001.01000000.00000005.sdmp, python311.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: api-ms-win-crt-conio-l1-1-0.dll.0.dr

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\Roaming\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2047928 ET TROJAN CoinMiner Domain in DNS Lookup (pool .supportxmr .com) 192.168.2.6:59815 -> 1.1.1.1:53

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.6:49716 -> 104.243.33.118:3333
Source: global traffic	TCP traffic: 192.168.2.6:49722 -> 104.243.43.115:3333
Source: global traffic	TCP traffic: 192.168.2.6:49726 -> 199.247.27.41:3333
Source: global traffic	TCP traffic: 192.168.2.6:49732 -> 178.128.242.134:3333

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: RELIABLESITEUS RELIABLESITEUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: pool.supportxmr.com

Source: python311.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: python311.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: python311.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: python311.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: python311.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: python311.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: python311.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: python311.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: python311.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: python311.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: python311.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: python311.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: python311.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: http://s.symcd.com06
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: python311.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: https://enigmaprotector.com/taggant/spv.crl0
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: https://enigmaprotector.com/taggant/user.crl0
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2310197570.00000224C8EF7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2312146004.00000224C9993000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2316416721.00000224C9994000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2309755070.00000224C9992000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2313588873.00000224C8E91000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2310994904.00000224C8E85000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2313470984.00000224C8E89000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2315267276.00000224C8E92000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2307784520.00000224C8EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2307013330.00000224C997A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2311135451.00000224C8E87000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2311661812.00000224C8EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2315941951.00000224C90A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2311135451.00000224C8E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2312146004.00000224C9993000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2316416721.00000224C9994000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2309755070.00000224C9992000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2313588873.00000224C8E91000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2310994904.00000224C8E85000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2313470984.00000224C8E89000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2315267276.00000224C8E92000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2307013330.00000224C997A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2311135451.00000224C8E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2310197570.00000224C8EF7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2312146004.00000224C9993000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2316416721.00000224C9994000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2309755070.00000224C9992000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2313588873.00000224C8E91000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2310994904.00000224C8E85000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2313470984.00000224C8E89000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2315267276.00000224C8E92000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2307784520.00000224C8EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2307013330.00000224C997A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2311135451.00000224C8E87000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2311661812.00000224C8EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2320065963.00007FFD94103000.00000002.00000001.01000000.00000005.sdmp, python311.dll.0.dr	String found in binary or memory: https://peps.python.org/pep-0263/
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2315941951.00000224C9020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2320329702.00007FFD94198000.00000004.00000001.01000000.00000005.sdmp, python311.dll.0.dr	String found in binary or memory: https://www.python.org/psf/license/
Source: Microsoft Edge.exe, 00000007.00000002.2323996765.00007FF612933000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: Microsoft Edge.exe, Microsoft Edge.exe, 00000007.00000002.2323996765.00007FF612933000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: Microsoft Edge.exe, Microsoft Edge.exe, 00000007.00000002.2323996765.00007FF612933000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: Microsoft Edge.exe, 00000007.00000002.2323996765.00007FF612933000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://xmrig.com/wizard%s

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000007.00000002.2323996765.00007FF612933000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000007.00000002.2323545081.00007FF612331000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: Process Memory Space: Microsoft Edge.exe PID: 6972, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown

PE file has nameless sections

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Runtime Broker.exe.0.dr	Static PE information: section name:
Source: Runtime Broker.exe.0.dr	Static PE information: section name:
Source: Runtime Broker.exe.0.dr	Static PE information: section name:
Source: Runtime Broker.exe.0.dr	Static PE information: section name:

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe

Code function: 0_2_00007DF433E10AAB

0_2_00007DF433E10AAB

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\_MEI42562\VCRUNTIME140.dll 76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644

PE file contains executable resources (Code or Archives)

Source: unicodedata.pyd.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

PE file contains more sections than normal

Source: Microsoft Edge.exe.0.dr

Static PE information: Number of sections : 14 > 10

PE file does not import any functions

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2322174511.00007FFDA4347000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs SecuriteInfo.com.FileRepMalware.20494.7181.exe
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321974373.00007FFDA3785000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs SecuriteInfo.com.FileRepMalware.20494.7181.exe
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321803693.00007FFD948AC000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs SecuriteInfo.com.FileRepMalware.20494.7181.exe
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2322076469.00007FFDA4172000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs SecuriteInfo.com.FileRepMalware.20494.7181.exe
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321605018.00007FFD94337000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamepython311.dll. vs SecuriteInfo.com.FileRepMalware.20494.7181.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: rsaenh.dll	Jump to behavior

Yara signature match

Source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000007.00000002.2323996765.00007FF612933000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000007.00000002.2323545081.00007FF612331000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: Process Memory Space: Microsoft Edge.exe PID: 6972, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: Section: ZLIB complexity 0.9950942095588236
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: Section: ZLIB complexity 0.9899968327702703
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: Section: ZLIB complexity 0.9986915958737864
Source: Microsoft Edge.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9968449519230769
Source: Microsoft Edge.exe.0.dr	Static PE information: Section: ZLIB complexity 0.999841588144084
Source: Microsoft Edge.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9996314858490566

Source: classification engine

Classification label: mal100.adwa.evad.mine.winEXE@22/56@3/4

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5276:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1592:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI42562

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	ReversingLabs: Detection: 39%
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Virustotal: Detection: 54%

Source: Microsoft Edge.exe	String found in binary or memory: -h, --help display this help and exit
Source: Microsoft Edge.exe	String found in binary or memory: -h, --help display this help and exit
Source: Microsoft Edge.exe	String found in binary or memory: t_prefetch_vgpr_index=-vgpr_id; jit_vmcnt=(vmcnt<s_waitcnt_value)?vmcnt:-1; if(vmcnt<s_waitcnt_value) s_waitcnt_value=vmcnt; done=true; } p=jit_emit_instruction(p,last_branch_target,jit_inst,jit_prefetch_vgpr_index,jit_vmcnt,batch_size); if(p-start_p>size_limi
Source: Microsoft Edge.exe	String found in binary or memory: --help
Source: Microsoft Edge.exe	String found in binary or memory: --help

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe""
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe

Static file information: File size 20270420 > 1048576

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe

Static PE information: Raw size of is bigger than: 0x100000 < 0x2c5c00

Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: \Projects\ConsoleApp1\obj\Debug\RuntimeBroker.pdb source: Runtime Broker.exe, 00000008.00000002.4765666112.00007FF66D802000.00000020.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765581162.00007FF66D802000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: ucrtbase.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321747885.00007FFD94871000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2322033281.00007FFDA416D000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2322131790.00007FFDA4341000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2322131790.00007FFDA4341000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321893983.00007FFDA377C000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbNN source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321893983.00007FFDA377C000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321747885.00007FFD94871000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\python311.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2320065963.00007FFD94103000.00000002.00000001.01000000.00000005.sdmp, python311.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: api-ms-win-crt-conio-l1-1-0.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Unpacked PE file: 0.2.SecuriteInfo.com.FileRepMalware.20494.7181.exe.7ff794250000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;Unknown_Section6:EW;.rsrc:EW;Unknown_Section8:EW;Unknown_Section9:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:R;Unknown_Section6:R;.rsrc:EW;Unknown_Section8:EW;Unknown_Section9:EW;
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Unpacked PE file: 2.2.SecuriteInfo.com.FileRepMalware.20494.7181.exe.7ff794250000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;Unknown_Section6:EW;.rsrc:EW;Unknown_Section8:EW;Unknown_Section9:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:R;Unknown_Section6:R;.rsrc:EW;Unknown_Section8:EW;Unknown_Section9:EW;
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Unpacked PE file: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:W;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;Unknown_Section9:EW;Unknown_Section10:EW;.rsrc:EW;Unknown_Section12:EW;Unknown_Section13:EW; vs Unknown_Section0:ER;Unknown_Section1:W;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:W;Unknown_Section6:W;Unknown_Section7:W;Unknown_Section8:W;Unknown_Section9:W;Unknown_Section10:R;.rsrc:EW;Unknown_Section12:EW;Unknown_Section13:EW;
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Unpacked PE file: 8.2.Runtime Broker.exe.7ff66d800000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;.rsrc:EW;Unknown_Section3:EW;Unknown_Section4:EW; vs Unknown_Section0:ER;Unknown_Section1:R;.rsrc:ER;Unknown_Section3:ER;Unknown_Section4:ER;
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Unpacked PE file: 15.2.Runtime Broker.exe.7ff66d800000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;.rsrc:EW;Unknown_Section3:EW;Unknown_Section4:EW; vs Unknown_Section0:ER;Unknown_Section1:R;.rsrc:ER;Unknown_Section3:ER;Unknown_Section4:ER;

Binary contains a suspicious time stamp

Source: Runtime Broker.exe.0.dr

Static PE information: 0xC4AE2868 [Wed Jul 25 12:39:04 2074 UTC]

PE file contains an invalid checksum

Source: Microsoft Edge.exe.0.dr	Static PE information: real checksum: 0x80e909 should be: 0x66fe39
Source: Runtime Broker.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x2fc202

PE file contains sections with non-standard names

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: python311.dll.0.dr	Static PE information: section name: PyRuntim
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Runtime Broker.exe.0.dr	Static PE information: section name:
Source: Runtime Broker.exe.0.dr	Static PE information: section name:
Source: Runtime Broker.exe.0.dr	Static PE information: section name:
Source: Runtime Broker.exe.0.dr	Static PE information: section name:
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name: entropy: 7.993690532935202
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name: entropy: 7.980897892360261
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name: entropy: 7.219186418605474
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name: entropy: 7.995879815906581
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name: entropy: 7.497746838564346
Source: Microsoft Edge.exe.0.dr	Static PE information: section name: entropy: 7.9794434122834685
Source: Microsoft Edge.exe.0.dr	Static PE information: section name: entropy: 7.999556299657626
Source: Microsoft Edge.exe.0.dr	Static PE information: section name: entropy: 7.9961487575621515
Source: Microsoft Edge.exe.0.dr	Static PE information: section name: entropy: 7.876010389655013
Source: Runtime Broker.exe.0.dr	Static PE information: section name: entropy: 7.499159924967502

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\Runtime Broker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\Microsoft Edge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe (copy)			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe (copy)			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	System information queried: FirmwareTableInformation

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Memory allocated: 22134AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Memory allocated: 2214D100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Memory allocated: 29C2D0B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Memory allocated: 29C45D70000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Window / User API: threadDelayed 549	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Window / User API: threadDelayed 7120	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Window / User API: threadDelayed 1808	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Window / User API: threadDelayed 945	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Window / User API: threadDelayed 8455	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Window / User API: threadDelayed 727	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Window / User API: threadDelayed 604
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Window / User API: threadDelayed 9283

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe TID: 4924	Thread sleep count: 549 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe TID: 3432	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 5100	Thread sleep count: 49 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 5100	Thread sleep time: -49000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 2708	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 2708	Thread sleep time: -43000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 5908	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 2820	Thread sleep count: 7120 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 2820	Thread sleep count: 1808 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe TID: 6084	Thread sleep count: 945 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 5248	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 5248	Thread sleep time: -31000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 3352	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 3352	Thread sleep time: -33000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 6116	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 6052	Thread sleep count: 8455 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 6052	Thread sleep count: 727 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe TID: 5464	Thread sleep count: 604 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe TID: 2588	Thread sleep count: 9283 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\Roaming\	Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: Microsoft Edge.exe, 0000000B.00000002.2592009488.0000021D2DF05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Microsoft Edge.exe, 00000009.00000002.2592007225.0000024D4EA45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpx
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Hyper-V (guest)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: Microsoft Edge.exe, 00000007.00000002.2323158465.00000145BBCC5000.00000004.00000020.00020000.00000000.sdmp, Microsoft Edge.exe, 00000009.00000002.2592007225.0000024D4EA45000.00000004.00000020.00020000.00000000.sdmp, Microsoft Edge.exe, 0000000B.00000002.2592009488.0000021D2DF05000.00000004.00000020.00020000.00000000.sdmp, Microsoft Edge.exe, 00000010.00000002.4764232973.000001859C335000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: VBoxService.exe
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Virtual MachinesbiedllVBoxService.exe
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: VMWare
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Thread information set: HideFromDebugger

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtOpenSection: Indirect: 0x7FF612F1BB35	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtOpenKey: Indirect: 0x7FF612F1AF85	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtClose: Indirect: 0x7FF612F1C0B6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtSetInformationThread: Indirect: 0x7FF612ECFADD	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtQueryAttributesFile: Indirect: 0x7FF74780C41F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtSetInformationThread: Indirect: 0x7FF7477BFADD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtResumeThread: Indirect: 0x7FF74780A81F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtProtectVirtualMemory: Indirect: 0x7FF74780DA4B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	NtProtectVirtualMemory: Indirect: 0x7FF66D897A4B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtUnmapViewOfSection: Indirect: 0x7FF74780BE8F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	NtProtectVirtualMemory: Indirect: 0x7FF66E29CE2E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtUnmapViewOfSection: Indirect: 0x7FF612F1BE8F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtProtectVirtualMemory: Indirect: 0x7FF61393CFB8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtProtectVirtualMemory: Indirect: 0x7FF74822CFB8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	NtSetInformationThread: Indirect: 0x7FF66D849ADD	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtProtectVirtualMemory: Indirect: 0x7FF612F1DA4B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtResumeThread: Indirect: 0x7FF612F1A81F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtQueryAttributesFile: Indirect: 0x7FF612F1C41F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtClose: Indirect: 0x7FF74780C0B6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtOpenSection: Indirect: 0x7FF74780BB35	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtOpenKey: Indirect: 0x7FF74780AF85	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge"	Jump to behavior

Source: conhost.exe, 00000011.00000002.4762347576.0000023ED2D61000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: conhost.exe, 00000011.00000002.4762347576.0000023ED2D61000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000011.00000002.4762347576.0000023ED2D61000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000011.00000002.4762347576.0000023ED2D61000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe

Code function: 2_2_00007FFD93F14ABC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_00007FFD93F14ABC

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe

Code function: 0_2_00007DF433E11F00 GetUserNameA,

0_2_00007DF433E11F00

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.243.43.115	unknown	United States	23470	RELIABLESITEUS	true
178.128.242.134	donate.ssl.xmrig.com	Netherlands	14061	DIGITALOCEAN-ASNUS	true
104.243.33.118	pool-nyc.supportxmr.com	United States	23470	RELIABLESITEUS	false
199.247.27.41	unknown	European Union	20473	AS-CHOOPAUS	true

Contacted Domains

Name	IP	Active
donate.ssl.xmrig.com	178.128.242.134	true
donate.v2.xmrig.com	178.128.242.134	true
pool-nyc.supportxmr.com	104.243.33.118	true
pool.supportxmr.com	unknown	unknown

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\_MEI42562\Microsoft Edge.exe

Avira: detection malicious, Label: HEUR/AGEN.1324769

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\_MEI42562\Microsoft Edge.exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Local\Temp\_MEI42562\Microsoft Edge.exe	Virustotal: Detection: 57%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\_MEI42562\Runtime Broker.exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Temp\_MEI42562\Runtime Broker.exe	Virustotal: Detection: 53%	Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	ReversingLabs: Detection: 39%
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Virustotal: Detection: 54%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\_MEI42562\Runtime Broker.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\_MEI42562\Microsoft Edge.exe	Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2592398201.0000024D4EB4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2591628032.0000021D2DA25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2592396227.0000021D2E371000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2323317181.00000145BBDCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2322880889.00000145BB7F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2592396227.0000021D2E34D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2590937562.0000024D4CA75000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4764232973.000001859C368000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4762982805.000001859BEA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2323996765.00007FF612933000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2323317181.00000145BBDF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2592398201.0000024D4EB6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4763394405.000001859C0AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4763394405.000001859C0D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Microsoft Edge.exe PID: 6972, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsoft Edge.exe PID: 356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsoft Edge.exe PID: 5612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Microsoft Edge.exe PID: 2676, type: MEMORYSTR

Detected Stratum mining protocol

Source: global traffic	TCP traffic: 192.168.2.6:49716 -> 104.243.33.118:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"82taq2flvrsvsl9v9djldkvkimffniud1jaqjcu598weeb9xewn8rhag7uahxhd95uunrscehkqmqh487mcrnq8bnavon9d","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.6:49718 -> 104.243.33.118:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"82taq2flvrsvsl9v9djldkvkimffniud1jaqjcu598weeb9xewn8rhag7uahxhd95uunrscehkqmqh487mcrnq8bnavon9d","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.6:49722 -> 104.243.43.115:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"82taq2flvrsvsl9v9djldkvkimffniud1jaqjcu598weeb9xewn8rhag7uahxhd95uunrscehkqmqh487mcrnq8bnavon9d","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.6:49726 -> 199.247.27.41:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"13f1b8e03c22ff3cf3fc7edbeda44070ded304342c85a775ff9986886d0c4609","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"],"diff":65217,"height":3114822,"seed_hash":"1f3c89329b35b30bc9e1f8854f490150ea140f4edc32a365d1be8bdc49234482"}}.
Source: global traffic	TCP traffic: 192.168.2.6:49732 -> 178.128.242.134:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"13f1b8e03c22ff3cf3fc7edbeda44070ded304342c85a775ff9986886d0c4609","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"],"diff":65217,"height":3114822,"seed_hash":"1f3c89329b35b30bc9e1f8854f490150ea140f4edc32a365d1be8bdc49234482"}}.
Source: global traffic	TCP traffic: 192.168.2.6:49737 -> 178.128.242.134:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"13f1b8e03c22ff3cf3fc7edbeda44070ded304342c85a775ff9986886d0c4609","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"],"diff":50000,"height":3114822,"seed_hash":"1f3c89329b35b30bc9e1f8854f490150ea140f4edc32a365d1be8bdc49234482"}}.
Source: global traffic	TCP traffic: 192.168.2.6:49742 -> 178.128.242.134:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"13f1b8e03c22ff3cf3fc7edbeda44070ded304342c85a775ff9986886d0c4609","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"],"diff":50000,"height":3114823,"seed_hash":"1f3c89329b35b30bc9e1f8854f490150ea140f4edc32a365d1be8bdc49234482"}}.
Source: global traffic	TCP traffic: 192.168.2.6:49747 -> 178.128.242.134:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"13f1b8e03c22ff3cf3fc7edbeda44070ded304342c85a775ff9986886d0c4609","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"],"diff":50000,"height":3114823,"seed_hash":"1f3c89329b35b30bc9e1f8854f490150ea140f4edc32a365d1be8bdc49234482"}}.
Source: global traffic	TCP traffic: 192.168.2.6:49752 -> 199.247.27.41:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"13f1b8e03c22ff3cf3fc7edbeda44070ded304342c85a775ff9986886d0c4609","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"],"diff":50000,"height":3114823,"seed_hash":"1f3c89329b35b30bc9e1f8854f490150ea140f4edc32a365d1be8bdc49234482"}}.
Source: global traffic	TCP traffic: 192.168.2.6:49755 -> 104.243.43.115:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"82taq2flvrsvsl9v9djldkvkimffniud1jaqjcu598weeb9xewn8rhag7uahxhd95uunrscehkqmqh487mcrnq8bnavon9d","pass":"x","agent":"xmrig/6.21.1 (windows nt 10.0; win64; x64) libuv/1.44.2 gcc/11.2.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.

Found strings related to Crypto-Mining

Source: Microsoft Edge.exe	String found in binary or memory: stratum+ssl://
Source: Microsoft Edge.exe	String found in binary or memory: cryptonight_v8
Source: Microsoft Edge.exe	String found in binary or memory: stratum+tcp://
Source: Microsoft Edge.exe	String found in binary or memory: -o, --url=URL URL of mining server
Source: Microsoft Edge.exe	String found in binary or memory: Usage: xmrig [OPTIONS] Network:
Source: Microsoft Edge.exe	String found in binary or memory: XMRig 6.21.1 built on Feb 25 2024 with GCC

Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: \Projects\ConsoleApp1\obj\Debug\RuntimeBroker.pdb source: Runtime Broker.exe, 00000008.00000002.4765666112.00007FF66D802000.00000020.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765581162.00007FF66D802000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: ucrtbase.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321747885.00007FFD94871000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2322033281.00007FFDA416D000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2322131790.00007FFDA4341000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2322131790.00007FFDA4341000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321893983.00007FFDA377C000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbNN source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321893983.00007FFDA377C000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321747885.00007FFD94871000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\python311.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2320065963.00007FFD94103000.00000002.00000001.01000000.00000005.sdmp, python311.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: api-ms-win-crt-conio-l1-1-0.dll.0.dr

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\Roaming\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2047928 ET TROJAN CoinMiner Domain in DNS Lookup (pool .supportxmr .com) 192.168.2.6:59815 -> 1.1.1.1:53

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.6:49716 -> 104.243.33.118:3333
Source: global traffic	TCP traffic: 192.168.2.6:49722 -> 104.243.43.115:3333
Source: global traffic	TCP traffic: 192.168.2.6:49726 -> 199.247.27.41:3333
Source: global traffic	TCP traffic: 192.168.2.6:49732 -> 178.128.242.134:3333

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: RELIABLESITEUS RELIABLESITEUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: pool.supportxmr.com

Source: python311.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: python311.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: python311.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: python311.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: python311.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: python311.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: python311.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: python311.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: python311.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: python311.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: python311.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: python311.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: python311.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: http://s.symcd.com06
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: python311.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: https://enigmaprotector.com/taggant/spv.crl0
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, Runtime Broker.exe.0.dr	String found in binary or memory: https://enigmaprotector.com/taggant/user.crl0
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2310197570.00000224C8EF7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2312146004.00000224C9993000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2316416721.00000224C9994000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2309755070.00000224C9992000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2313588873.00000224C8E91000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2310994904.00000224C8E85000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2313470984.00000224C8E89000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2315267276.00000224C8E92000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2307784520.00000224C8EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2307013330.00000224C997A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2311135451.00000224C8E87000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2311661812.00000224C8EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2315941951.00000224C90A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2311135451.00000224C8E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2312146004.00000224C9993000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2316416721.00000224C9994000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2309755070.00000224C9992000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2313588873.00000224C8E91000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2310994904.00000224C8E85000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2313470984.00000224C8E89000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2315267276.00000224C8E92000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2307013330.00000224C997A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2311135451.00000224C8E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2310197570.00000224C8EF7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2312146004.00000224C9993000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2316416721.00000224C9994000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2309755070.00000224C9992000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2313588873.00000224C8E91000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2310994904.00000224C8E85000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2313470984.00000224C8E89000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2315267276.00000224C8E92000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2307784520.00000224C8EBD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2307013330.00000224C997A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2311135451.00000224C8E87000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000003.2311661812.00000224C8EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2320065963.00007FFD94103000.00000002.00000001.01000000.00000005.sdmp, python311.dll.0.dr	String found in binary or memory: https://peps.python.org/pep-0263/
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2315941951.00000224C9020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2320329702.00007FFD94198000.00000004.00000001.01000000.00000005.sdmp, python311.dll.0.dr	String found in binary or memory: https://www.python.org/psf/license/
Source: Microsoft Edge.exe, 00000007.00000002.2323996765.00007FF612933000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: Microsoft Edge.exe, Microsoft Edge.exe, 00000007.00000002.2323996765.00007FF612933000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: Microsoft Edge.exe, Microsoft Edge.exe, 00000007.00000002.2323996765.00007FF612933000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: Microsoft Edge.exe, 00000007.00000002.2323996765.00007FF612933000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://xmrig.com/wizard%s

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000007.00000002.2323996765.00007FF612933000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000007.00000002.2323545081.00007FF612331000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: Process Memory Space: Microsoft Edge.exe PID: 6972, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown

PE file has nameless sections

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Runtime Broker.exe.0.dr	Static PE information: section name:
Source: Runtime Broker.exe.0.dr	Static PE information: section name:
Source: Runtime Broker.exe.0.dr	Static PE information: section name:
Source: Runtime Broker.exe.0.dr	Static PE information: section name:

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe

Code function: 0_2_00007DF433E10AAB

0_2_00007DF433E10AAB

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\_MEI42562\VCRUNTIME140.dll 76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644

PE file contains executable resources (Code or Archives)

Source: unicodedata.pyd.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

PE file contains more sections than normal

Source: Microsoft Edge.exe.0.dr

Static PE information: Number of sections : 14 > 10

PE file does not import any functions

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2322174511.00007FFDA4347000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs SecuriteInfo.com.FileRepMalware.20494.7181.exe
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321974373.00007FFDA3785000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs SecuriteInfo.com.FileRepMalware.20494.7181.exe
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321803693.00007FFD948AC000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs SecuriteInfo.com.FileRepMalware.20494.7181.exe
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2322076469.00007FFDA4172000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs SecuriteInfo.com.FileRepMalware.20494.7181.exe
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321605018.00007FFD94337000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamepython311.dll. vs SecuriteInfo.com.FileRepMalware.20494.7181.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Section loaded: rsaenh.dll	Jump to behavior

Yara signature match

Source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000007.00000002.2323996765.00007FF612933000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000007.00000002.2323545081.00007FF612331000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: Process Memory Space: Microsoft Edge.exe PID: 6972, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: Section: ZLIB complexity 0.9950942095588236
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: Section: ZLIB complexity 0.9899968327702703
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: Section: ZLIB complexity 0.9986915958737864
Source: Microsoft Edge.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9968449519230769
Source: Microsoft Edge.exe.0.dr	Static PE information: Section: ZLIB complexity 0.999841588144084
Source: Microsoft Edge.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9996314858490566

Source: classification engine

Classification label: mal100.adwa.evad.mine.winEXE@22/56@3/4

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5276:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1592:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI42562

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	ReversingLabs: Detection: 39%
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Virustotal: Detection: 54%

Source: Microsoft Edge.exe	String found in binary or memory: -h, --help display this help and exit
Source: Microsoft Edge.exe	String found in binary or memory: -h, --help display this help and exit
Source: Microsoft Edge.exe	String found in binary or memory: t_prefetch_vgpr_index=-vgpr_id; jit_vmcnt=(vmcnt<s_waitcnt_value)?vmcnt:-1; if(vmcnt<s_waitcnt_value) s_waitcnt_value=vmcnt; done=true; } p=jit_emit_instruction(p,last_branch_target,jit_inst,jit_prefetch_vgpr_index,jit_vmcnt,batch_size); if(p-start_p>size_limi
Source: Microsoft Edge.exe	String found in binary or memory: --help
Source: Microsoft Edge.exe	String found in binary or memory: --help

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe""
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe""	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe

Static file information: File size 20270420 > 1048576

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe

Static PE information: Raw size of is bigger than: 0x100000 < 0x2c5c00

Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: \Projects\ConsoleApp1\obj\Debug\RuntimeBroker.pdb source: Runtime Broker.exe, 00000008.00000002.4765666112.00007FF66D802000.00000020.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765581162.00007FF66D802000.00000020.00000001.01000000.00000009.sdmp
Source:	Binary string: ucrtbase.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321747885.00007FFD94871000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2322033281.00007FFDA416D000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2322131790.00007FFDA4341000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2322131790.00007FFDA4341000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321893983.00007FFDA377C000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbNN source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321893983.00007FFDA377C000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2321747885.00007FFD94871000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\python311.pdb source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2320065963.00007FFD94103000.00000002.00000001.01000000.00000005.sdmp, python311.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: api-ms-win-crt-conio-l1-1-0.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Unpacked PE file: 0.2.SecuriteInfo.com.FileRepMalware.20494.7181.exe.7ff794250000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;Unknown_Section6:EW;.rsrc:EW;Unknown_Section8:EW;Unknown_Section9:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:R;Unknown_Section6:R;.rsrc:EW;Unknown_Section8:EW;Unknown_Section9:EW;
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Unpacked PE file: 2.2.SecuriteInfo.com.FileRepMalware.20494.7181.exe.7ff794250000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;Unknown_Section6:EW;.rsrc:EW;Unknown_Section8:EW;Unknown_Section9:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:R;Unknown_Section6:R;.rsrc:EW;Unknown_Section8:EW;Unknown_Section9:EW;
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Unpacked PE file: 7.2.Microsoft Edge.exe.7ff612330000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:W;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;Unknown_Section9:EW;Unknown_Section10:EW;.rsrc:EW;Unknown_Section12:EW;Unknown_Section13:EW; vs Unknown_Section0:ER;Unknown_Section1:W;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:W;Unknown_Section6:W;Unknown_Section7:W;Unknown_Section8:W;Unknown_Section9:W;Unknown_Section10:R;.rsrc:EW;Unknown_Section12:EW;Unknown_Section13:EW;
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Unpacked PE file: 8.2.Runtime Broker.exe.7ff66d800000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;.rsrc:EW;Unknown_Section3:EW;Unknown_Section4:EW; vs Unknown_Section0:ER;Unknown_Section1:R;.rsrc:ER;Unknown_Section3:ER;Unknown_Section4:ER;
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Unpacked PE file: 15.2.Runtime Broker.exe.7ff66d800000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;.rsrc:EW;Unknown_Section3:EW;Unknown_Section4:EW; vs Unknown_Section0:ER;Unknown_Section1:R;.rsrc:ER;Unknown_Section3:ER;Unknown_Section4:ER;

Binary contains a suspicious time stamp

Source: Runtime Broker.exe.0.dr

Static PE information: 0xC4AE2868 [Wed Jul 25 12:39:04 2074 UTC]

PE file contains an invalid checksum

Source: Microsoft Edge.exe.0.dr	Static PE information: real checksum: 0x80e909 should be: 0x66fe39
Source: Runtime Broker.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x2fc202

PE file contains sections with non-standard names

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name:
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: python311.dll.0.dr	Static PE information: section name: PyRuntim
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Microsoft Edge.exe.0.dr	Static PE information: section name:
Source: Runtime Broker.exe.0.dr	Static PE information: section name:
Source: Runtime Broker.exe.0.dr	Static PE information: section name:
Source: Runtime Broker.exe.0.dr	Static PE information: section name:
Source: Runtime Broker.exe.0.dr	Static PE information: section name:
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name: entropy: 7.993690532935202
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name: entropy: 7.980897892360261
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name: entropy: 7.219186418605474
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name: entropy: 7.995879815906581
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe	Static PE information: section name: entropy: 7.497746838564346
Source: Microsoft Edge.exe.0.dr	Static PE information: section name: entropy: 7.9794434122834685
Source: Microsoft Edge.exe.0.dr	Static PE information: section name: entropy: 7.999556299657626
Source: Microsoft Edge.exe.0.dr	Static PE information: section name: entropy: 7.9961487575621515
Source: Microsoft Edge.exe.0.dr	Static PE information: section name: entropy: 7.876010389655013
Source: Runtime Broker.exe.0.dr	Static PE information: section name: entropy: 7.499159924967502

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\Runtime Broker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\Microsoft Edge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe (copy)			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe (copy)			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	System information queried: FirmwareTableInformation

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Memory allocated: 22134AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Memory allocated: 2214D100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Memory allocated: 29C2D0B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Memory allocated: 29C45D70000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Window / User API: threadDelayed 549	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Window / User API: threadDelayed 7120	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Window / User API: threadDelayed 1808	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Window / User API: threadDelayed 945	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Window / User API: threadDelayed 8455	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Window / User API: threadDelayed 727	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Window / User API: threadDelayed 604
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Window / User API: threadDelayed 9283

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe TID: 4924	Thread sleep count: 549 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe TID: 3432	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 5100	Thread sleep count: 49 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 5100	Thread sleep time: -49000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 2708	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 2708	Thread sleep time: -43000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 5908	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 2820	Thread sleep count: 7120 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 2820	Thread sleep count: 1808 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe TID: 6084	Thread sleep count: 945 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 5248	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 5248	Thread sleep time: -31000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 3352	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 3352	Thread sleep time: -33000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 6116	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 6052	Thread sleep count: 8455 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe TID: 6052	Thread sleep count: 727 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe TID: 5464	Thread sleep count: 604 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe TID: 2588	Thread sleep count: 9283 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	File opened: c:\Users\user\AppData\Roaming\	Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: Microsoft Edge.exe, 0000000B.00000002.2592009488.0000021D2DF05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Microsoft Edge.exe, 00000009.00000002.2592007225.0000024D4EA45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpx
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Hyper-V (guest)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: Microsoft Edge.exe, 00000007.00000002.2323158465.00000145BBCC5000.00000004.00000020.00020000.00000000.sdmp, Microsoft Edge.exe, 00000009.00000002.2592007225.0000024D4EA45000.00000004.00000020.00020000.00000000.sdmp, Microsoft Edge.exe, 0000000B.00000002.2592009488.0000021D2DF05000.00000004.00000020.00020000.00000000.sdmp, Microsoft Edge.exe, 00000010.00000002.4764232973.000001859C335000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: VBoxService.exe
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Virtual MachinesbiedllVBoxService.exe
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: VMWare
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000000.00000002.2330666134.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.20494.7181.exe, 00000002.00000002.2317765733.00007FF7942B4000.00000040.00000001.01000000.00000003.sdmp, Microsoft Edge.exe, 00000007.00000002.2324334152.00007FF612E8E000.00000040.00000001.01000000.0000000A.sdmp, Runtime Broker.exe, 00000008.00000002.4765715991.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp, Runtime Broker.exe, 0000000F.00000002.4765630356.00007FF66D808000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	Thread information set: HideFromDebugger

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtOpenSection: Indirect: 0x7FF612F1BB35	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtOpenKey: Indirect: 0x7FF612F1AF85	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtClose: Indirect: 0x7FF612F1C0B6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtSetInformationThread: Indirect: 0x7FF612ECFADD	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtQueryAttributesFile: Indirect: 0x7FF74780C41F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtSetInformationThread: Indirect: 0x7FF7477BFADD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtResumeThread: Indirect: 0x7FF74780A81F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtProtectVirtualMemory: Indirect: 0x7FF74780DA4B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	NtProtectVirtualMemory: Indirect: 0x7FF66D897A4B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtUnmapViewOfSection: Indirect: 0x7FF74780BE8F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	NtProtectVirtualMemory: Indirect: 0x7FF66E29CE2E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtUnmapViewOfSection: Indirect: 0x7FF612F1BE8F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtProtectVirtualMemory: Indirect: 0x7FF61393CFB8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtProtectVirtualMemory: Indirect: 0x7FF74822CFB8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	NtSetInformationThread: Indirect: 0x7FF66D849ADD	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtProtectVirtualMemory: Indirect: 0x7FF612F1DA4B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtResumeThread: Indirect: 0x7FF612F1A81F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtQueryAttributesFile: Indirect: 0x7FF612F1C41F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtClose: Indirect: 0x7FF74780C0B6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtOpenSection: Indirect: 0x7FF74780BB35	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	NtOpenKey: Indirect: 0x7FF74780AF85	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge"	Jump to behavior

Source: conhost.exe, 00000011.00000002.4762347576.0000023ED2D61000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: conhost.exe, 00000011.00000002.4762347576.0000023ED2D61000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000011.00000002.4762347576.0000023ED2D61000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000011.00000002.4762347576.0000023ED2D61000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42562 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe

Code function: 2_2_00007FFD93F14ABC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_00007FFD93F14ABC

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.20494.7181.exe

Code function: 0_2_00007DF433E11F00 GetUserNameA,

0_2_00007DF433E11F00

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.20494.7181.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

ID:	1416942
Product:	CloudBasic
Start time:	10:24:10
Start date:	28.03.2024
Sample:	SecuriteInfo.com.FileRepMalware.20494.7181.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	af9764b5224f18db51d592d641caaf28
SHA1:	e65b9a26d541fb15f265be8caed159e365a3f6ae
SHA256:	95c7b62982bdcde9fe8cc12839a414a1aa2171103a133454e9de2e406f3a3012
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\_MEI42562\Microsoft Edge.exe	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows	0CA6C4C041ACC229A38992D6F572C3DD	91FB55FEE3CA6D4D557B89074485668B8C547E4A	81F75B12E998C5EFC2769316B0206BE00CEFA0322A3B32126E2C23DCA247F912
C:\Users\user\AppData\Local\Temp\_MEI42562\Runtime Broker.exe	PE32+ executable (GUI) x86-64, for MS Windows	5481FDA6F78167C646DF8B434BCF5B99	A0CB5BE90C466B242D07BEFF82AF85803BDFCBA7	23ACE23BFC56A60AFB10FFE3CEF04D256A8F6FFF44F214E27AA537835793394E
C:\Users\user\AppData\Local\Temp\_MEI42562\VCRUNTIME140.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	870FEA4E961E2FBD00110D3783E529BE	A948E65C6F73D7DA4FFDE4E8533C098A00CC7311	76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
C:\Users\user\AppData\Local\Temp\_MEI42562\_bz2.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	10D42EFAC304861AD19821B4594FA959	1A65F60BBA991BC7E9322AF1E19F193DAE76D77A	8EECDCC250637652E6BABC306EA6B8820E9E835DDD2434816D0E0FD0CA67FD14
C:\Users\user\AppData\Local\Temp\_MEI42562\_decimal.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	A1FFC2A156E9266932C351A88E5E7FAB	EBFC901C28035264FBB5B0F30E68AB3B45410D13	B8409829DC4FDE70F38754DE55D3090A1CD52C78FFECE2A08572A58DE3AF294D
C:\Users\user\AppData\Local\Temp\_MEI42562\_hashlib.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	F419AC6E11B4138EEA1FE8C86689076A	886CDA33FA3A4C232CAA0FA048A08380971E8939	441D32922122E59F75A728CC818F8E50613866A6C3DEC627098E6CC6C53624E2
C:\Users\user\AppData\Local\Temp\_MEI42562\_lzma.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	3230404A7191C6228A8772D3610E49E5	4E8E36C89B4FF440DDFF9A5B084B262C9B2394EC	33AE42F744D2688BB7D5519F32FF7B7489B96F4EEA47F66D2009DBA6A0023903
C:\Users\user\AppData\Local\Temp\_MEI42562\_socket.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	0FC65EC300553D8070E6B44B9B23B8C0	F8DB6AF578CF417CFCDDB2ED798C571C1ABD878F	360744663FCE8DEC252ABBDA1168F470244FDB6DA5740BB7AB3171E19106E63C
C:\Users\user\AppData\Local\Temp\_MEI42562\_ssl.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	93905020F4158C5119D16EE6792F8057	EB613C31F26ED6D80681815193FFAFDF30314A07	D9CC4358D9351FED11EEC03753A8FA8ED981A6C2246BBD7CB0B0A3472C09FDC4
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-console-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	40BA4A99BF4911A3BCA41F5E3412291F	C9A0E81EB698A419169D462BCD04D96EAA21D278	AF0E561BB3B2A13AA5CA9DFC9BC53C852BAD85075261AF6EF6825E19E71483A6
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-datetime-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	C5E3E5DF803C9A6D906F3859355298E1	0ECD85619EE5CE0A47FF840652A7C7EF33E73CF4	956773A969A6213F4685C21702B9ED5BD984E063CF8188ACBB6D55B1D6CCBD4E
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-debug-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	71F1D24C7659171EAFEF4774E5623113	8712556B19ED9F80B9D4B6687DECFEB671AD3BFE	C45034620A5BB4A16E7DD0AFF235CC695A5516A4194F4FEC608B89EABD63EEEF
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-errorhandling-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	F1534C43C775D2CCEB86F03DF4A5657D	9ED81E2AD243965E1090523B0C915E1D1D34B9E1	6E6BFDC656F0CF22FABBA1A25A42B46120B1833D846F2008952FE39FE4E57AB2
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-file-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	EA00855213F278D9804105E5045E2882	07C6141E993B21C4AA27A6C2048BA0CFF4A75793	F2F74A801F05AB014D514F0F1D0B3DA50396E6506196D8BECCC484CD969621A6
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-file-l1-2-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	BCB8B9F6606D4094270B6D9B2ED92139	BD55E985DB649EADCB444857BEED397362A2BA7B	FA18D63A117153E2ACE5400ED89B0806E96F0627D9DB935906BE9294A3038118
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-file-l2-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	BFFFA7117FD9B1622C66D949BAC3F1D7	402B7B8F8DCFD321B1D12FC85A1EE5137A5569B2	1EA267A2E6284F17DD548C6F2285E19F7EDB15D6E737A55391140CE5CB95225E
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-handle-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	D584C1E0F0A0B568FCE0EFD728255515	2E5CE6D4655C391F2B2F24FC207FDF0E6CD0CC2A	3DE40A35254E3E0E0C6DB162155D5E79768A6664B33466BF603516F3743EFB18
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-heap-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	6168023BDB7A9DDC69042BEECADBE811	54EE35ABAE5173F7DC6DAFC143AE329E79EC4B70	4EA8399DEBE9D3AE00559D82BC99E4E26F310934D3FD1D1F61177342CF526062
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-interlocked-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	4F631924E3F102301DAC36B514BE7666	B3740A0ACDAF3FBA60505A135B903E88ACB48279	E2406077621DCE39984DA779F4D436C534A31C5E863DB1F65DE5939D962157AF
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-libraryloader-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	8DFC224C610DD47C6EC95E80068B40C5	178356B790759DC9908835E567EDFB67420FBAAC	7B8C7E09030DF8CDC899B9162452105F8BAEB03CA847E552A57F7C81197762F2
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-localization-l1-2-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	20DDF543A1ABE7AEE845DE1EC1D3AA8E	0EAF5DE57369E1DB7F275A2FFFD2D2C9E5AF65BF	D045A72C3E4D21165E9372F76B44FF116446C1E0C221D9CEA3AB0A1134A310E8
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-memory-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	C4098D0E952519161F4FD4846EC2B7FC	8138CA7EB3015FC617620F05530E4D939CAFBD77	51B2103E0576B790D5F5FDACB42AF5DAC357F1FD37AFBAAF4C462241C90694B4
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-namedpipe-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	EAF36A1EAD954DE087C5AA7AC4B4ADAD	9DD6BC47E60EF90794A57C3A84967B3062F73C3C	CDBA9DC9AF63EBD38301A2E7E52391343EFEB54349FC2D9B4EE7B6BF4F9CF6EB
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-processenvironment-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	8711E4075FA47880A2CB2BB3013B801A	B7CEEC13E3D943F26DEF4C8A93935315C8BB1AC3	5BCC3A2D7D651BB1ECC41AA8CD171B5F2B634745E58A8503B702E43AEE7CD8C6
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-processthreads-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	8E6EB11588FA9625B68960A46A9B1391	FF81F0B3562E846194D330FADF2AB12872BE8245	AE56E19DA96204E7A9CDC0000F96A7EF15086A9FE1F686687CB2D6FBCB037CD6
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-processthreads-l1-1-1.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	4380D56A3B83CA19EA269747C9B8302B	0C4427F6F0F367D180D37FC10ECBE6534EF6469C	A79C7F86462D8AB8A7B73A3F9E469514F57F9FE456326BE3727352B092B6B14A
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-profile-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	9082D23943B0AA48D6AF804A2F3609A2	C11B4E12B743E260E8B3C22C9FACE83653D02EFE	7ECC2E3FE61F9166FF53C28D7CB172A243D94C148D3EF13545BC077748F39267
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-rtlsupport-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	772F1B596A7338F8EA9DDFF9ABA9447D	CDA9F4B9808E9CEF2AEAC2AC6E7CDF0E8687C4C5	CC1BFCE8FE6F9973CCA15D7DFCF339918538C629E6524F10F1931AE8E1CD63B4
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-string-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	84B1347E681E7C8883C3DC0069D6D6FA	9E62148A2368724CA68DFA5D146A7B95C710C2F2	1CB48031891B967E2F93FDD416B0324D481ABDE3838198E76BC2D0CA99C4FD09
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-synch-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	6EA31229D13A2A4B723D446F4242425B	036E888B35281E73B89DA1B0807EA8E89B139791	8ECCABA9321DF69182EE3FDB8FC7D0E7615AE9AD3B8CA53806ED47F4867395AE
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-synch-l1-2-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	DD6F223B4F9B84C6E9B2A7CF49B84FC7	2EE75D635D21D628E8083346246709A71B085710	8356F71C5526808AF2896B2D296CE14E812E4585F4D0C50D7648BC851B598BEF
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-sysinfo-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	9CA65D4FE9B76374B08C4A0A12DB8D2F	A8550D6D04DA33BAA7D88AF0B4472BA28E14E0AF	8A1E56BD740806777BC467579BDC070BCB4D1798DF6A2460B9FE36F1592189B8
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-timezone-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	2554060F26E548A089CAB427990AACDF	8CC7A44A16D6B0A6B7ED444E68990FF296D712FE	5AB003E899270B04ABC7F67BE953EACCF980D5BBE80904C47F9AAF5D401BB044
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-core-util-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	427F0E19148D98012968564E4B7E622A	488873EB98133E20ACD106B39F99E3EBDFACA386	0CBACACCEDAF9B6921E6C1346DE4C0B80B4607DACB0F7E306A94C2F15FA6D63D
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-conio-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	42EE890E5E916935A0D3B7CDEE7147E0	D354DB0AAC3A997B107EC151437EF17589D20CA5	91D7A4C39BAAC78C595FC6CF9FD971AA0A780C297DA9A8B20B37B0693BDCD42C
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-convert-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	33B85A64C4AF3A65C4B72C0826668500	315DDB7A49283EFE7FCAE1B51EBD6DB77267D8DF	8B24823407924688ECAFC771EDD9C58C6DBCC7DE252E7EBD20751A5B9DD7ABEF
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-environment-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	F983F25BF0AD58BCFA9F1E8FD8F94FCB	27EDE57C1A59B64DB8B8C3C1B7F758DEB07942E8	A5C8C787C59D0700B5605925C8C255E5EF7902716C675EC40960640B15FF5ACA
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-filesystem-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	931246F429565170BB80A1144B42A8C4	E544FAD20174CF794B51D1194FD780808F105D38	A3BA0EE6A4ABC082B730C00484D4462D16BC13EE970EE3EEE96C34FC9B6EF8ED
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-heap-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	546DA2B69F039DA9DA801EB7455F7AB7	B8FF34C21862EE79D94841C40538A90953A7413B	A93C8AF790C37A9B6BAC54003040C283BEF560266AEEC3D2DE624730A161C7DC
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-locale-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	D8302FC8FAC16F2AFEBF571A5AE08A71	0C1AEE698E2B282C4D19011454DA90BB5AB86252	B9AE70E8F74615EA2DC6FC74EC8371616E57C8EFF8555547E7167BB2DB3424F2
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-math-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	E9036FD8B4D476807A22CB2EB4485B8A	0E49D745643F6B0A7D15EA12B6A1FE053C829B30	BFC8AD242BF673BF9024B5BBE4158CA6A4B7BDB45760AE9D56B52965440501BD
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-process-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	AD586EA6AC80AC6309421DEEEA701D2F	BC2419DFF19A9AB3C555BC00832C7074EC2D9186	39E363C47D4D45BEDA156CB363C5241083B38C395E4BE237F3CFEDA55176453C
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-runtime-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	3AE4741DB3DDBCB205C6ACBBAE234036	5026C734DCEE219F73D291732722691A02C414F2	C26540E3099FA91356EE69F5058CF7B8AEE63E23D6B58385476D1883E99033C3
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-stdio-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	9A7E2A550C64DABFF61DAD8D1574C79A	8908DE9D45F76764140687389BFAED7711855A2D	DB059947ACE80D2C801F684A38D90FD0292BDAA1C124CD76467DA7C4329A8A32
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-string-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	CF115DB7DCF92A69CB4FD6E2AE42FED5	B39AA5ECA6BE3F90B71DC37A5ECF286E3DDCA09A	EB8FE2778C54213AA2CC14AB8CEC89EBD062E18B3E24968ACA57E1F344588E74
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-time-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	82E6D4FF7887B58206199E6E4BE0FEAF	943E42C95562682C99A7ED3058EA734E118B0C44	FB425BF6D7EB8202ACD10F3FBD5D878AB045502B6C928EBF39E691E2B1961454
C:\Users\user\AppData\Local\Temp\_MEI42562\api-ms-win-crt-utility-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	9A3B4E5B18A946D6954F61673576FA11	74206258CFD864F08E26EA3081D66297221B1D52	CE74A264803D3E5761ED2C364E2196AC1B391CB24029AF24AEE8EF537EC68738
C:\Users\user\AppData\Local\Temp\_MEI42562\base_library.zip	Zip archive data, at least v2.0 to extract, compression method=store	C2519C672DD97AA31DA47D75DC1AE68C	DF2FCB79EBB0903FD0E27506A6EE05F1B87CBF7A	C980C49F384D0AF89C442229C1707E743F548EFECB9DC021AC3138DA4DFAB65B
C:\Users\user\AppData\Local\Temp\_MEI42562\libcrypto-1_1.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	6F4B8EB45A965372156086201207C81F	8278F9539463F0A45009287F0516098CB7A15406	976CE72EFD0A8AEEB6E21AD441AA9138434314EA07F777432205947CDB149541
C:\Users\user\AppData\Local\Temp\_MEI42562\libssl-1_1.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	8769ADAFCA3A6FC6EF26F01FD31AFA84	38BAEF74BDD2E941CCD321F91BFD49DACC6A3CB6	2AEBB73530D21A2273692A5A3D57235B770DAF1C35F60C74E01754A5DAC05071
C:\Users\user\AppData\Local\Temp\_MEI42562\python311.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	A72993488CECD88B3E19487D646F88F6	5D359F4121E0BE04A483F9AD1D8203FFC958F9A0	AA1E959DCFF75A343B448A797D8A5A041EB03B27565A30F70FD081DF7A285038
C:\Users\user\AppData\Local\Temp\_MEI42562\select.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	116335EBC419DD5224DD9A4F2A765467	482EF3D79BFD6B6B737F8D546CD9F1812BD1663D	813EEDE996FC08E1C9A6D45AAA4CBAE1E82E781D69885680A358B4D818CFC0D4
C:\Users\user\AppData\Local\Temp\_MEI42562\ucrtbase.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	0E0BAC3D1DCC1833EAE4E3E4CF83C4EF	4189F4459C54E69C6D3155A82524BDA7549A75A6	8A91052EF261B5FBF3223AE9CE789AF73DFE1E9B0BA5BDBC4D564870A24F2BAE
C:\Users\user\AppData\Local\Temp\_MEI42562\unicodedata.pyd	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	CDB5F373D24ADCEB4DC4FA1677757F0C	AF6B381EED65D244C57129346008EC8532BA336B	175C4CB528F1AC4E285C575CC3F5E85EC4B3AE88860210B5D795B580C7F0B5D9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe (copy)	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows	0CA6C4C041ACC229A38992D6F572C3DD	91FB55FEE3CA6D4D557B89074485668B8C547E4A	81F75B12E998C5EFC2769316B0206BE00CEFA0322A3B32126E2C23DCA247F912
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe (copy)	PE32+ executable (GUI) x86-64, for MS Windows	5481FDA6F78167C646DF8B434BCF5B99	A0CB5BE90C466B242D07BEFF82AF85803BDFCBA7	23ACE23BFC56A60AFB10FFE3CEF04D256A8F6FFF44F214E27AA537835793394E

Windows Analysis Report SecuriteInfo.com.FileRepMalware.20494.7181.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.20494.7181.exe

Malware Threat Intel
Provided by