Windows Analysis Report
SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe
Analysis ID: 1417479
MD5: 62cc4fb86ff7b21f0bbbf6d3d071327a
SHA1: 6980ca3dcf259e854c5238989a6f2c8c6b29c495
SHA256: e8c4907eb16a6ce2868d817679746a43aa8b7b0413a3c7fd32787f2271115dcc
Tags: exe
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://reddemon.xyz/loader/build/loader.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: https://reddemon.xyz/loader/build/loader.exe Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Virustotal: Detection: 54% Perma Link
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6934E40 CryptUnprotectMemory,GetLastError,_CxxThrowException, 0_2_00007FF7E6934E40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E69395E0 memset,BCryptCreateHash,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,BCryptCloseAlgorithmProvider,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7E69395E0
Source: unknown HTTPS traffic detected: 172.67.145.129:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6894950 memcpy,FindFirstFileA,FindNextFileA,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task, 0_2_00007FF7E6894950
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.145.129 172.67.145.129
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /vbo6v9uk/raw HTTP/1.1Connection: Keep-AliveUser-Agent: cpprestsdk/2.10.18Host: rentry.co
Source: unknown DNS traffic detected: queries for: rentry.co
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe, 00000000.00000003.1641603855.00000171B2BA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e2ce930
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: http://fontello.com
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: http://fontello.comGenerated
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: http://scripts.sil.org/OFLInterMediumWeightSlant
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: http://scripts.sil.org/OFLInterSemiBoldWeightSlant
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe, 00000000.00000002.2834643794.00000171B58DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: https://access.chairfbi.com/loader/key_check?key=%s&token=%s
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: https://access.chairfbi.com/loader/key_check?key=%s&token=%sErrorError
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: https://access.chairfbi.com/loader/url/NoUi
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: https://access.chairfbi.com/loader/url/NoUiFailed
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: https://access.chairfbi.com/loader/version/NoUi
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: https://access.chairfbi.com/loader/version/NoUi%s
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: https://github.com/rsms/inter)Inter
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: https://reddemon.xyz/loader/build/loader.exe
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: https://rentry.co/vbo6v9uk/raw
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: https://rentry.co/vbo6v9uk/raw7.6%s.exehttps://reddemon.xyz/loader/build/loader.exeFailed
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe, 00000000.00000003.1641135007.00000171B0CFE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe, 00000000.00000003.1641525134.00000171B0CFC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rentry.co:443/vbo6v9uk/raw
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown HTTPS traffic detected: 172.67.145.129:443 -> 192.168.2.4:49732 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68A4520 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard, 0_2_00007FF7E68A4520
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68B0430 OpenClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard, 0_2_00007FF7E68B0430
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68A4520 OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard, 0_2_00007FF7E68A4520
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C7930 GetClientRect,QueryPerformanceCounter,GetForegroundWindow,ClientToScreen,SetCursorPos,GetCursorPos,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_00007FF7E68C7930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C88DA GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_00007FF7E68C88DA
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68FA580 0_2_00007FF7E68FA580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6948700 0_2_00007FF7E6948700
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C6270 0_2_00007FF7E68C6270
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6946FC0 0_2_00007FF7E6946FC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68D9030 0_2_00007FF7E68D9030
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6894DF0 0_2_00007FF7E6894DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68BAD70 0_2_00007FF7E68BAD70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68D2B40 0_2_00007FF7E68D2B40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C6A40 0_2_00007FF7E68C6A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6897880 0_2_00007FF7E6897880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68AB4A7 0_2_00007FF7E68AB4A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C7480 0_2_00007FF7E68C7480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68D3D40 0_2_00007FF7E68D3D40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68DBF00 0_2_00007FF7E68DBF00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6943D10 0_2_00007FF7E6943D10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C7C80 0_2_00007FF7E68C7C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C7930 0_2_00007FF7E68C7930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68AA7D0 0_2_00007FF7E68AA7D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68A47C0 0_2_00007FF7E68A47C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E69167B0 0_2_00007FF7E69167B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68CA730 0_2_00007FF7E68CA730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68A48E0 0_2_00007FF7E68A48E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C88DA 0_2_00007FF7E68C88DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68D03A0 0_2_00007FF7E68D03A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68AA3C0 0_2_00007FF7E68AA3C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68B4330 0_2_00007FF7E68B4330
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68B2370 0_2_00007FF7E68B2370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C4440 0_2_00007FF7E68C4440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68BC1D0 0_2_00007FF7E68BC1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68BE130 0_2_00007FF7E68BE130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68D8120 0_2_00007FF7E68D8120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C2170 0_2_00007FF7E68C2170
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6916260 0_2_00007FF7E6916260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68CB010 0_2_00007FF7E68CB010
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6932FE0 0_2_00007FF7E6932FE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E69250C0 0_2_00007FF7E69250C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68DADB0 0_2_00007FF7E68DADB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68A8DD0 0_2_00007FF7E68A8DD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C2E00 0_2_00007FF7E68C2E00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6916D40 0_2_00007FF7E6916D40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6942D20 0_2_00007FF7E6942D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E691ABE0 0_2_00007FF7E691ABE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C4B40 0_2_00007FF7E68C4B40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68B2B60 0_2_00007FF7E68B2B60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E694AC30 0_2_00007FF7E694AC30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C29B0 0_2_00007FF7E68C29B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C0930 0_2_00007FF7E68C0930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68A8970 0_2_00007FF7E68A8970
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68CF7B0 0_2_00007FF7E68CF7B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68957F0 0_2_00007FF7E68957F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6919810 0_2_00007FF7E6919810
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6917750 0_2_00007FF7E6917750
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68FB8D0 0_2_00007FF7E68FB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68D5910 0_2_00007FF7E68D5910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C1830 0_2_00007FF7E68C1830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68B9860 0_2_00007FF7E68B9860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68AF6F0 0_2_00007FF7E68AF6F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6913650 0_2_00007FF7E6913650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68DB4B9 0_2_00007FF7E68DB4B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6927430 0_2_00007FF7E6927430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6917280 0_2_00007FF7E6917280
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68B1F40 0_2_00007FF7E68B1F40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6922110 0_2_00007FF7E6922110
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6915DB0 0_2_00007FF7E6915DB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68CFD30 0_2_00007FF7E68CFD30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68A5D20 0_2_00007FF7E68A5D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6917C00 0_2_00007FF7E6917C00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6945B50 0_2_00007FF7E6945B50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6905CB3 0_2_00007FF7E6905CB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68B7CE0 0_2_00007FF7E68B7CE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68CBC20 0_2_00007FF7E68CBC20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E69419B0 0_2_00007FF7E69419B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68D9920 0_2_00007FF7E68D9920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C5990 0_2_00007FF7E68C5990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68A5AF0 0_2_00007FF7E68A5AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E689BAF0 0_2_00007FF7E689BAF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E689DA2B 0_2_00007FF7E689DA2B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68A9A20 0_2_00007FF7E68A9A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6937A30 0_2_00007FF7E6937A30
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: String function: 00007FF7E6913DD0 appears 146 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: String function: 00007FF7E68F1F10 appears 59 times
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: concrt140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: d3dcompiler_47.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: xinput1_4.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: classification engine Classification label: mal64.evad.winEXE@4/7@1/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6894350 LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle, 0_2_00007FF7E6894350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe File created: C:\Users\user\Desktop\imgui.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_au2lub3q.21i.ps1 Jump to behavior
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Virustotal: Detection: 54%
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: https://access.chairfbi.com/loader/key_check?key=%s&token=%s
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: https://access.chairfbi.com/loader/version/NoUi
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: https://access.chairfbi.com/loader/url/NoUi
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: SpooferDiskTypeSpooferDiskSpooferMoboSpooferBootSpooferMACSpooferMonitorSpooferGPUhttps://access.chairfbi.com/loader/key_check?key=%s&token=%sErrorError not handledcodeinvalid_credentialsInvalid credentialsnot_allowedYou're not authorized to useexpires_incheatstorenamelogomenu_colorinclude_spooferactivedayhourminuteExpires in %.0f day(s), %.0f hour(s), %.0f minute(s)Expires in %.0f d %.0f h %.0f mCheat is under maintence%s\laddon.exe%s\%shttps://access.chairfbi.com/loader/version/NoUi%s\%s-laddon.exe%s-laddon.exehttps://access.chairfbi.com/loader/url/NoUiFailed to download loader addon
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: https://reddemon.xyz/loader/build/loader.exe
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe String found in binary or memory: oldloader.txt%s/%shttps://rentry.co/vbo6v9uk/raw7.6%s.exehttps://reddemon.xyz/loader/build/loader.exeFailed to download new version!Failed to open new version: %s/%s
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /C Get-Service -Name WpnUserService* | Restart-Service -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /C Get-Service -Name WpnUserService* | Restart-Service -Force Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe File written: C:\Users\user\Desktop\imgui.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Static file information: File size 1974272 > 1048576
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C77A0 QueryPerformanceFrequency,QueryPerformanceCounter,LoadLibraryA,GetProcAddress,GetProcAddress, 0_2_00007FF7E68C77A0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6908062 push rax; ret 0_2_00007FF7E6908064
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Window / User API: foregroundWindowGot 1773 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3928 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3241 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe API coverage: 5.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe TID: 6856 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3168 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5728 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6894950 memcpy,FindFirstFileA,FindNextFileA,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task, 0_2_00007FF7E6894950
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe, 00000000.00000002.2833381842.00000171B0CAD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWdWndClass
Source: SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe, 00000000.00000003.1641279587.00000171B0D2F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe, 00000000.00000002.2833702692.00000171B0D34000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe, 00000000.00000003.1641664204.00000171B0D2F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe, 00000000.00000003.1641084485.00000171B0D2F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6912E90 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_00007FF7E6912E90
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6912E90 memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_00007FF7E6912E90
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E68C77A0 QueryPerformanceFrequency,QueryPerformanceCounter,LoadLibraryA,GetProcAddress,GetProcAddress, 0_2_00007FF7E68C77A0
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6912C90 SetUnhandledExceptionFilter, 0_2_00007FF7E6912C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6912AB0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7E6912AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E694B450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7E694B450
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6894780 ShellExecuteExA,WaitForSingleObject,CloseHandle,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7E6894780
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /C Get-Service -Name WpnUserService* | Restart-Service -Force Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: GetLocaleInfoEx,FormatMessageA, 0_2_00007FF7E694B228
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6912CFC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF7E6912CFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe Code function: 0_2_00007FF7E6894DF0 GetUserNameW,memcpy,memcpy,_invalid_parameter_noinfo_noreturn,memcpy,memcpy,memcpy,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF7E6894DF0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417479 Sample: SecuriteInfo.com.Win64.Drop... Startdate: 29/03/2024 Architecture: WINDOWS Score: 64 15 rentry.co 2->15 17 bg.microsoft.map.fastly.net 2->17 21 Multi AV Scanner detection for domain / URL 2->21 23 Antivirus detection for URL or domain 2->23 25 Multi AV Scanner detection for submitted file 2->25 8 SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exe 3 2 2->8         started        signatures3 process4 dnsIp5 19 rentry.co 172.67.145.129, 443, 49732 CLOUDFLARENETUS United States 8->19 11 powershell.exe 15 8->11         started        process6 process7 13 conhost.exe 11->13         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.145.129
 rentry.co United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
rentry.co 172.67.145.129 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://rentry.co/vbo6v9uk/raw false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown