Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe
Analysis ID:	1632382
MD5:	5baff22318ad7ceee337d63ca6d6a3af
SHA1:	9a4b56b11097da29d194f665974353880cd71df8
SHA256:	e415a56982e74d76e039f90d2c946115d892c8b264ebb07f93232e981a74f7c2
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

Score:	96
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Adds a directory exclusion to Windows Defender

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Installs new ROOT certificates

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe (PID: 6732 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe" MD5: 5BAFF22318AD7CEEE337D63CA6D6A3AF)

conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7148 cmdline: powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 4276 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 3012 cmdline: schtasks.exe /create /tn "COM Surrogate Task" /tr "C:\Program Files\runtime\COM Surrogate.exe" /sc onlogon /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 2708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

COM Surrogate.exe (PID: 6348 cmdline: "C:\Program Files\runtime\COM Surrogate.exe" MD5: D8B16BCAB478B23BD67790745BC39575)

COM Surrogate.exe (PID: 6964 cmdline: "C:\Program Files\runtime\COM Surrogate.exe" MD5: D8B16BCAB478B23BD67790745BC39575)

svchost.exe (PID: 6468 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'", CommandLine: powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe, ParentProcessId: 6732, ParentProcessName: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe, ProcessCommandLine: powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'", ProcessId: 7148, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'", CommandLine: powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe, ParentProcessId: 6732, ParentProcessName: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe, ProcessCommandLine: powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'", ProcessId: 7148, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6468, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Win32/TeleGrab Style IP Check

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:06:19.893579+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49684	34.252.5.78	443	TCP
2025-03-07T23:06:21.794943+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49685	34.252.5.78	443	TCP
2025-03-07T23:06:22.687287+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49686	34.252.5.78	443	TCP
2025-03-07T23:06:24.710452+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49687	34.252.5.78	443	TCP
2025-03-07T23:06:25.455875+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49688	34.252.5.78	443	TCP
2025-03-07T23:06:27.537404+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49689	34.252.5.78	443	TCP
2025-03-07T23:06:35.067726+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49692	34.252.5.78	443	TCP
2025-03-07T23:06:36.242608+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49693	34.252.5.78	443	TCP
2025-03-07T23:06:37.942069+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49694	34.252.5.78	443	TCP
2025-03-07T23:06:39.104878+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49695	34.252.5.78	443	TCP
2025-03-07T23:06:40.834615+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49696	34.252.5.78	443	TCP
2025-03-07T23:06:41.982105+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49699	34.252.5.78	443	TCP
2025-03-07T23:06:49.715480+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49705	34.252.5.78	443	TCP
2025-03-07T23:06:51.160176+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49706	34.252.5.78	443	TCP
2025-03-07T23:06:52.563706+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49707	34.252.5.78	443	TCP
2025-03-07T23:06:53.931733+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49708	34.252.5.78	443	TCP
2025-03-07T23:06:55.469450+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49709	34.252.5.78	443	TCP
2025-03-07T23:06:57.004273+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49710	34.252.5.78	443	TCP
2025-03-07T23:07:04.806005+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49711	34.248.109.211	443	TCP
2025-03-07T23:07:06.127740+0100	2830898	1	A Network Trojan was detected	192.168.2.8	49712	34.248.109.211	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files\runtime\COM Surrogate.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Virustotal: Detection: 25%			Perma Link
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	ReversingLabs: Detection: 15%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Code function: 0_2_00007FF616321E00 _time64,srand,memset,printf,__acrt_iob_func,fgets,printf,printf,printf,BCryptGenRandom,BCryptGenRandom,free,printf,printf,memset,GetModuleFileNameA,rand,printf,getchar,getchar,malloc,strcpy_s,fopen_s,fwrite,fwrite,rand,malloc,BCryptGenRandom,free,fclose,free,free,free,fwrite,free,fwrite,fclose,free,free,printf,CreateFileA,GetSystemTime,SystemTimeToFileTime,SetFileTime,CloseHandle,free,printf,system,free,free,free,GetConsoleWindow,GetWindowLongW,SetWindowLongW,ShowWindow,CreateProcessA,WaitForSingleObject,CloseHandle,CloseHandle,SleepEx,memset,GetModuleFileNameA,fopen_s,fseek,ftell,fseek,fread,fclose,malloc,fseek,fread,free,fclose,fclose,free,memset,GetEnvironmentVariableA,strcat_s,CreateDirectoryA,memset,fopen_s,printf,free,fwrite,fclose,free,memset,CreateProcessA,WaitForSingleObject,CloseHandle,CloseHandle,CreateProcessA,WaitForSingleObject,CloseHandle,CloseHandle,DeleteFileA,

0_2_00007FF616321E00

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Directory created: C:\Program Files\runtime			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Directory created: C:\Program Files\runtime\COM Surrogate.exe			Jump to behavior

Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\q\Desktop\HAZARD\P3\bigDawg - Copy\x64\Release\bigDawg.pdb source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49696 -> 34.252.5.78:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49712 -> 34.248.109.211:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49709 -> 34.252.5.78:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49687 -> 34.252.5.78:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49706 -> 34.252.5.78:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49692 -> 34.252.5.78:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49685 -> 34.252.5.78:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49710 -> 34.252.5.78:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49693 -> 34.252.5.78:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49689 -> 34.252.5.78:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49708 -> 34.252.5.78:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49688 -> 34.252.5.78:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49686 -> 34.252.5.78:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49684 -> 34.252.5.78:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49707 -> 34.252.5.78:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49705 -> 34.252.5.78:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49699 -> 34.252.5.78:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49711 -> 34.248.109.211:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49695 -> 34.252.5.78:443
Source: Network traffic	Suricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.8:49694 -> 34.252.5.78:443

Source: global traffic

TCP traffic: 192.168.2.8:49682 -> 94.156.227.9:8008

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	DNS query: name: checkip.amazonaws.com
Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: checkip.amazonaws.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /line/172.58.121.183?fields=country HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip

Source: global traffic	DNS traffic detected: DNS query: wheretopulse.in
Source: global traffic	DNS traffic detected: DNS query: checkip.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com

Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe, 00000000.00000003.975322414.0000024E5DC9C000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000008.00000000.976798226.000000000052D000.00000002.00000001.01000000.00000004.sdmp, COM Surrogate.exe, 00000009.00000000.979188331.000000000052D000.00000002.00000001.01000000.00000004.sdmp, COM Surrogate.exe.0.dr	String found in binary or memory: http://FirefoxUnknown1.1.1.1TuesdayJanuaryOctoberMUI_StdMUI_DltUpgradeupgradeCONNECT19531259765625SH
Source: COM Surrogate.exe, 00000008.00000003.1378408649.0000015400669000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000008.00000003.1378269847.0000015400669000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000008.00000003.1440234512.0000015400669000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: svchost.exe, 0000000A.00000002.2124806985.000001C76B287000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.10.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: COM Surrogate.exe, 00000008.00000002.1496510346.000000C000310000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 00000008.00000002.1495727303.000000C000218000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 00000009.00000002.1584298034.000000C00000E000.00000004.00001000.00020000.00000000.sdmp, COM Surrogate.exe, 00000009.00000002.1584298034.000000C0000C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/172.58.121.183?fields=country
Source: COM Surrogate.exe, 00000008.00000002.1494023828.000000C000010000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/172.58.121.183?fields=countryUser-Agent:
Source: COM Surrogate.exe, 00000009.00000002.1584298034.000000C0000C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/172.58.121.183?fields=countryWbemScripting.SWbemLocatorSELECT
Source: COM Surrogate.exe, 00000009.00000002.1584298034.000000C0000C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/172.58.121.183?fields=countryWbemScripting.SWbemLocatorq
Source: COM Surrogate.exe, 00000008.00000002.1495727303.000000C000218000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/172.58.121.183?fields=countryread
Source: COM Surrogate.exe, 00000009.00000002.1584298034.000000C000124000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://checkip.amazonaws.com/
Source: COM Surrogate.exe.0.dr	String found in binary or memory: https://checkip.amazonaws.com/Eastern
Source: edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 0000000A.00000003.1203209421.000001C76B000000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Code function: 0_2_00007FF616321E00		0_2_00007FF616321E00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Code function: 0_2_00007FF6163210D0		0_2_00007FF6163210D0

Source: classification engine

Classification label: mal96.evad.winEXE@13/10@4/5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

File created: C:\Program Files\runtime

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2708:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pprwb345.wbw.ps1

Jump to behavior

Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: COM Surrogate.exe, 00000009.00000002.1586145871.000000C00024A000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: SELECT * FROM AntiVirusProductzc;\

Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Virustotal: Detection: 25%
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	ReversingLabs: Detection: 15%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "COM Surrogate Task" /tr "C:\Program Files\runtime\COM Surrogate.exe" /sc onlogon /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Process created: C:\Program Files\runtime\COM Surrogate.exe "C:\Program Files\runtime\COM Surrogate.exe"
Source: unknown	Process created: C:\Program Files\runtime\COM Surrogate.exe "C:\Program Files\runtime\COM Surrogate.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "COM Surrogate Task" /tr "C:\Program Files\runtime\COM Surrogate.exe" /sc onlogon /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Process created: C:\Program Files\runtime\COM Surrogate.exe "C:\Program Files\runtime\COM Surrogate.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Program Files\runtime\COM Surrogate.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Directory created: C:\Program Files\runtime			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Directory created: C:\Program Files\runtime\COM Surrogate.exe			Jump to behavior

Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Static file information: File size 6322961 > 1048576

Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\q\Desktop\HAZARD\P3\bigDawg - Copy\x64\Release\bigDawg.pdb source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"			Jump to behavior

Source: COM Surrogate.exe.0.dr	Static PE information: section name: .xdata
Source: COM Surrogate.exe.0.dr	Static PE information: section name: .symtab

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files\runtime\COM Surrogate.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

File created: C:\Program Files\runtime\COM Surrogate.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "COM Surrogate Task" /tr "C:\Program Files\runtime\COM Surrogate.exe" /sc onlogon /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Program Files\runtime\COM Surrogate.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\runtime\COM Surrogate.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5874			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3903			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4548	Thread sleep count: 5874 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4548	Thread sleep count: 3903 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1560	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2752	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Program Files\runtime\COM Surrogate.exe

File opened: PHYSICALDRIVE0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Binary or memory string: VMware
Source: svchost.exe, 0000000A.00000002.2124770368.000001C76B256000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2123723562.000001C765C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: COM Surrogate.exe, 00000008.00000002.1496696417.000001540060C000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000009.00000002.1587186922.0000012A0110D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Binary or memory string: HARDWARE\DESCRIPTION\SystemSystemManufacturerSystemProductNameVMwareVirtualBoxVirtual Machinerb[Error] Could not open file: %s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Code function: 0_2_00007FF6163210D0 IsDebuggerPresent,GetCurrentProcess,CheckRemoteDebuggerPresent,QueryPerformanceFrequency,QueryPerformanceCounter,SleepEx,QueryPerformanceCounter,memset,memset,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,strstr,strstr,strstr,strstr,RegCloseKey,

0_2_00007FF6163210D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

0_2_00007FF6163210D0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Code function: 0_2_00007FF616323294 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF616323294
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Code function: 0_2_00007FF616322A20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF616322A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Code function: 0_2_00007FF616323438 SetUnhandledExceptionFilter,	0_2_00007FF616323438

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Code function: 0_2_00007FF6163210D0 cpuid

0_2_00007FF6163210D0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

0_2_00007FF616321E00

Source: COM Surrogate.exe, 00000008.00000003.1440208776.00000154006A6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000009.00000003.1155261067.0000012A011A7000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000009.00000003.1155446867.0000012A011AF000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000009.00000003.1155161401.0000012A011A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s Defender\MsMpeng.exe
Source: COM Surrogate.exe, 00000008.00000003.1378408649.0000015400669000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000008.00000003.1378269847.0000015400669000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000009.00000003.1102660791.0000012A011A8000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000009.00000003.1102579432.0000012A011A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iles%\Windows Defender\MsMpeng.exe
Source: COM Surrogate.exe, 00000009.00000003.1155261067.0000012A011A7000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000009.00000003.1155327749.0000012A011B6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000009.00000003.1155161401.0000012A011A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AntiVirusProductWindows Defender{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}windowsdefender://%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: COM Surrogate.exe, 00000008.00000003.1440208776.00000154006A6000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000008.00000003.1492628414.00000154006AC000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000008.00000002.1497519995.0000015447709000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000008.00000003.991951286.0000015400642000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000008.00000003.1094431360.00000154006F2000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000008.00000003.1231786689.0000015400669000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000008.00000003.1378740621.00000154006B4000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000008.00000003.1094507929.00000154006F5000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000008.00000003.1378408649.0000015400669000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000008.00000003.1290242007.00000154006BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: COM Surrogate.exe, 00000008.00000003.1231510335.00000154006A7000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000008.00000003.1231718870.00000154006AA000.00000004.00000020.00020000.00000000.sdmp, COM Surrogate.exe, 00000008.00000003.1231431410.00000154006A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ACF46}windowsdefender://%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: COM Surrogate.exe, 00000008.00000003.1141344905.0000015447721000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ramFiles%\Windows Defender\MsMpeng.exe
Source: COM Surrogate.exe, 00000009.00000003.1454140157.0000012A011B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ws Defender\MsMpeng.exe

Source: C:\Program Files\runtime\COM Surrogate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files\runtime\COM Surrogate.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	1 Process Injection	12 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	251 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	1 DLL Side-Loading	1 Modify Registry	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	41 Virtualization/Sandbox Evasion	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Install Root Certificate	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	32 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SecuriteInfo.com.Win64.DropperX-gen.32756.21147.exe