Loading ...

Play interactive tourEdit tour

Windows Analysis Report 45I8GbQlUj

Overview

General Information

Sample Name:45I8GbQlUj (renamed file extension from none to exe)
Analysis ID:553487
MD5:1b1e4286625bb189a526e910f2031c7b
SHA1:650c0550f12c65d9841d10ab589ff39261018957
SHA256:c9d7cb68dec80469c3c03b0e90c7af1972462ca7779424db3bfd9d44aebaa624
Tags:32exe
Infos:

Most interesting Screenshot:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
.NET source code contains potential unpacker
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Drops PE files with benign system names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Internet Provider seen in connection with other malware
Stores large binary data to the registry
Stores files to the Windows start menu directory
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • 45I8GbQlUj.exe (PID: 6100 cmdline: "C:\Users\user\Desktop\45I8GbQlUj.exe" MD5: 1B1E4286625BB189A526E910F2031C7B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 45I8GbQlUj.exeVirustotal: Detection: 24%Perma Link
Source: 45I8GbQlUj.exeReversingLabs: Detection: 20%
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exeVirustotal: Detection: 24%Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exeReversingLabs: Detection: 20%
Machine Learning detection for sampleShow sources
Source: 45I8GbQlUj.exeJoe Sandbox ML: detected
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exeJoe Sandbox ML: detected
Source: 45I8GbQlUj.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.4:49760 -> 74.201.28.62:80
Source: Joe Sandbox ViewASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS
Source: global trafficHTTP traffic detected: GET /book/KB5009812.png HTTP/1.1Host: 74.201.28.62Connection: Keep-Alive
Source: global trafficTCP traffic: 192.168.2.4:49800 -> 74.201.28.62:5586
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: unknownTCP traffic detected without corresponding DNS query: 74.201.28.62
Source: 45I8GbQlUj.exe, svchost.exe.0.drString found in binary or memory: http://74.201.28.62/book/KB5009812.png
Source: global trafficHTTP traffic detected: GET /book/KB5009812.png HTTP/1.1Host: 74.201.28.62Connection: Keep-Alive
Source: 45I8GbQlUj.exe, 00000000.00000003.774232886.000000001B822000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKB5009812.exe. vs 45I8GbQlUj.exe
Source: 45I8GbQlUj.exe, 00000000.00000000.650035857.0000000000452000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKB5009812.exe. vs 45I8GbQlUj.exe
Source: 45I8GbQlUj.exe, 00000000.00000003.774253369.000000001B829000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKB5009812.exe. vs 45I8GbQlUj.exe
Source: 45I8GbQlUj.exeBinary or memory string: OriginalFilenameKB5009812.exe. vs 45I8GbQlUj.exe
Source: 45I8GbQlUj.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svchost.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exe C9D7CB68DEC80469C3C03B0E90C7AF1972462CA7779424DB3BFD9D44AEBAA624
Source: 45I8GbQlUj.exeVirustotal: Detection: 24%
Source: 45I8GbQlUj.exeReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\45I8GbQlUj.exeFile read: C:\Users\user\Desktop\45I8GbQlUj.exeJump to behavior
Source: 45I8GbQlUj.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\45I8GbQlUj.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\45I8GbQlUj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\45I8GbQlUj.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exeJump to behavior
Source: classification engineClassification label: mal92.evad.winEXE@1/2@0/1
Source: C:\Users\user\Desktop\45I8GbQlUj.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeMutant created: \Sessions\1\BaseNamedObjects\EBA27E1D48D738BA9535923048CE6DEA
Source: C:\Users\user\Desktop\45I8GbQlUj.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: 45I8GbQlUj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 45I8GbQlUj.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: 45I8GbQlUj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: 45I8GbQlUj.exe, CoreApi.cs.Net Code: Start System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: svchost.exe.0.dr, CoreApi.cs.Net Code: Start System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.45I8GbQlUj.exe.450000.0.unpack, CoreApi.cs.Net Code: Start System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 45I8GbQlUj.exeStatic PE information: 0x964C769C [Sat Nov 27 02:38:20 2049 UTC]

Persistence and Installation Behavior:

barindex
Drops PE files with benign system namesShow sources
Source: C:\Users\user\Desktop\45I8GbQlUj.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exeJump to dropped file
Source: C:\Users\user\Desktop\45I8GbQlUj.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Users\user\Desktop\45I8GbQlUj.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exeJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\svchost.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeKey value created or modified: HKEY_CURRENT_USER\Software\EBA27E1D48D738BA9535923048CE6DEA PluginJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\45I8GbQlUj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\45I8GbQlUj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\45I8GbQlUj.exe TID: 4600Thread sleep time: -35000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe TID: 6508Thread sleep time: -20291418481080494s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe TID: 6508Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exe TID: 4600Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeWindow / User API: threadDelayed 2504Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeWindow / User API: threadDelayed 7303Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\45I8GbQlUj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: 45I8GbQlUj.exe, 00000000.00000003.662613955.0000000000A90000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeQueries volume information: C:\Users\user\Desktop\45I8GbQlUj.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\Desktop\45I8GbQlUj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation221Registry Run Keys / Startup Folder11Registry Run Keys / Startup Folder11Masquerading11OS Credential DumpingSecurity Software Discovery221Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsModify Registry1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion131NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Information Discovery213SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.